EEOC Publishes Updated Guidance On Employer COVID-19 Policies
- While the Equal Employment Opportunity Commission’s (EEOC) May 28, 2021 guidance (the “EEOC Guidance”) largely is consistent with its previous pronouncements regarding employer mandatory COVID-19 policies, including policies regarding vaccinations, the new EEOC Guidance adds some color that is helpful to most alternative asset managers.
- The EEOC confirms that employers seeking to institute mandatory vaccination policies likely can do so under federal equal employment laws, subject to certain limitations and requirements. As discussed below, however, doing so raises a number of legal and practical concerns which firms will want to consider.
- The federal, state and local legal issues surrounding employer COVID-19 policies remain nuanced and multifaceted; firms should obtain legal counsel in designing and implementing their policies.
On Friday, May 28, 2021, the EEOC issued updated guidance regarding COVID-19 policies, including employer policies encouraging or requiring employees to become vaccinated in order to enter the workplace. While largely consistent with the agency’s prior administrative interpretations of the Americans with Disabilities Act (ADA) and Title VII of the Civil Rights Act (“Title VII”) with respect to COVID-19, the EEOC Guidance contains some additional texture that is helpful to firms seeking to require vaccinations for employees entering the office. Among the main takeaways are the following:
1. Firms can ask employees whether they are vaccinated. As the EEOC previously has made clear, firms are permitted to ask employees and applicants whether they are vaccinated and/or intend to get vaccinated. Such a question is not a “disability-related inquiry,” as there are many reasons why an individual may or may not become vaccinated, and thus an individual’s vaccination status does not reveal the existence of a disability. See EEOC Guidance, K.9. When inquiring about vaccination status, however, firms should avoid asking other questions that may solicit medical information, such as questions regarding why an employee did not receive a vaccine. Further, the EEOC Guidance takes the somewhat inconsistent position that an employee’s vaccination status is “confidential medical information” for purposes of the ADA. This means that upon receiving information regarding an employee’s vaccination status, a firm should treat this information confidentially and keep it separate from other employee personnel information.
2. Firms generally can require employees to become vaccinated in order to enter the workplace under federal equal employment opportunity laws. A firm likely can institute a mandatory vaccination policy for employees entering the office, subject to its obligations under applicable antidiscrimination laws, such as the ADA, Title VII, and state and local analogs. Under these laws, a firm must consider a potential exception to a mandatory vaccination policy for employees who cannot become vaccinated due to a disability or sincerely held religious belief. The EEOC Guidance also notes the agency’s limited jurisdiction, stating that other federal, state or local laws may limit an employer’s ability to implement mandatory vaccine requirements, as discussed in Section 8, below.
3. Firms implementing vaccine policies should consider certain “best practices.” Firms should consider certain best practices when implementing an employee vaccination policy. For example, firms announcing a mandatory policy should consider including a reminder about their reasonable accommodation policies under the ADA, Title VII, and applicable state and local laws. Firms also should designate a contact person(s) to address requests for a reasonable accommodation; ensure that firm employees are aware of this contact person(s); and ensure that managers and supervisors are sufficiently trained regarding the firm’s policies to recognize an implicit request for a reasonable accommodation when they hear one.
4. Firms that implement mandatory vaccine policies must consider exceptions for employees with disabilities who request a reasonable accommodation. If an employee seeks an exception from a mandatory vaccination policy due to an alleged disability, a firm must engage in a two-step process: First, the firm must consider whether the unvaccinated employee’s attendance in the office would pose a “direct threat” to other employees or office visitors. Second, if such a threat exists, the firm must consider whether a reasonable accommodation is available to allow the employee to continue performing his or her job without imposing an undue hardship on the firm. The foregoing analyses must be made on a case-by-case basis with respect to the particular employee, position and workspace at issue. Employees with pregnancy-related disabilities are entitled to reasonable accommodations to the same extent as non-pregnant workers.
- Establishing a Direct Threat: In addressing whether an employee poses a direct threat, the relevant factors include (a) the duration of the risk posed by the unvaccinated employee; (b) the nature and severity of the potential harm he or she could cause; (c) the likelihood that the potential harm will indeed occur; and (d) the imminence of the potential harm. Firms can expect unvaccinated employees to argue, inter alia, that so long as they wear face coverings and socially distance while in the office, they will not pose a significant threat to fellow employees or office visitors—particularly those who already are vaccinated. In response, firms are likely to focus on the life-and-death nature of COVID-19 infections, the threats posed to others in the office and their families, and the imperfect protections that masking and social distancing offer. Indeed, the EEOC Guidance lists several factors that may buttress a “direct threat” argument, particularly in the context of the typical fund manager workplace: (i) “whether the employee works alone or with others”; (ii) whether the employee “works inside or outside”; (iii) “the available ventilation” in the workplace; (iv) “the frequency and duration of direct interaction the employee typically will have with other employees and/or non-employees”; and (v) “the space available for social distancing.”1 Because many asset managers have relatively small offices, with open floorplans, with a limited number of individual offices, in a highly collaborative environment in which windows cannot be opened, such firms would appear better-positioned to establish a direct threat than many other types of employers, such as those whose employees work outdoors; on a large, well-ventilated shop floor; or in individual offices. The threshold for establishing a direct threat nevertheless is a high one, and there are no guarantees that a firm will prevail in any resulting litigation. Further, to the extent firms have permitted unvaccinated/masked employees or visitors into their offices to date, such history could undercut an argument that such individuals pose a direct threat. But in light of the myriad considerations firms must balance in addressing COVID-19—including the risks of tort claims in the event an employee or visitor (or one of their family members) contracts COVID-19 via the workplace—firms may be willing to take their chances in establishing a direct-threat defense.
- Engaging in the Reasonable Accommodation Process: Assuming an unvaccinated employee poses a direct threat to the safety of the workplace, a firm must consider whether a reasonable accommodation would allow the employee to perform the essential functions of his or her job. Among the potential accommodations a firm may consider are “staggered shift[s], making changes in the work environment (such as improving ventilation systems or limiting contact with other employees and non-employees),” requiring periodic negative COVID-19 tests, and/or “permitting telework if feasible.” See EEOC Guidance, K.2, K.5. Firms do not need to provide an employee with his or her “first choice” of reasonable accommodation and can instead choose among potential accommodations. Further, accommodations are not required where they would impose an “undue hardship”—meaning “significant difficulty or expense”—upon the firm. See EEOC Guidance, K.6. Where no reasonable accommodation is available, an employer generally is permitted to terminate the unvaccinated employee’s employment. But see Section 8, below.
5. If an employee claims that he or she cannot become vaccinated due to a sincerely-held religious belief, firms must engage in a reasonable accommodation analysis. Under Title VII and various state and local anti-discrimination laws, firms also must provide a reasonable accommodation to employees whose sincerely held religious beliefs prevent them from getting vaccinated, unless offering such an accommodation would pose an “undue hardship” on the firm. Notably, however, the standard for establishing an undue hardship with respect to a religious belief is far less exacting than the ADA undue hardship test discussed above. Establishing such a hardship in the case of a religious belief requires showing only that an accommodation would have “more than minimal cost or burden” on the firm.
6.Firms can encourage employees to get vaccinated. Firms have wide latitude to encourage employees to become vaccinated. See EEOC Guidance, K.3. For example, firms can educate employees about the benefits of vaccinations, share applicable Centers for Disease Control and Prevention (CDC) and local health department guidance, and/or provide information about where employees can receive the vaccine. Firms also can voluntarily offer paid time off to employees to get the vaccine and/or to recover from its side effects. Indeed, some jurisdictions—including New York—require firms to provide employees with leave to obtain the vaccine.2If a firm or its agent administers the vaccine, incentives for becoming vaccinated cannot be so substantial that an employee would feel coerced into doing so.
7. Firms are permitted to require employees to test negative for COVID-19 before being present in the workplace. The EEOC Guidance does not alter the EEOC’s previously stated position on the permissibility of COVID-19 testing. Under the ADA, any mandatory medical test of an employee must be job-related and consistent with business necessity. The EEOC has indicated that COVID-19 testing is permissible because an employee with the virus will pose a direct threat to the health of others in the workplace. As such, COVID-19 testing administered by firms in a manner consistent with current CDC guidance generally will satisfy the requirements of the ADA. See EEOC Guidance, A.6.
8. Laws in some states may impact mandatory vaccine requirements. The EEOC notes that its jurisdiction is limited to federal anti-discrimination statutes, and that other laws may impact a firm’s ability to impose a mandatory vaccine requirement. Indeed, states and localities across the country have promulgated a raft of legislation, executive orders, and ordinances with respect to COVID-19, and we currently are tracking various bills that would prohibit or limit the ability of firms to implement mandatory vaccine policies in certain states.3 Further, a recent lawsuit has challenged a company’s mandatory vaccination policy, arguing that it violates Texas public policy. The suit relies heavily on federal law relating to the emergency use of medical products, and suggests that the vaccine is not sufficiently safe for an employer “mandate.”4 Firms should remain cognizant of the pending bills and of litigation-based challenges to requiring employee vaccinations.
Finally, while not addressed in the EEOC Guidance, firms also should weigh practical and commercial considerations in designing COVID-19 policies. Employee views regarding vaccinations vary widely, and firms will need to consider not only their employees, but other potential office visitors, such as actual and potential investors, who all will have their own views on these subjects. In addition, firms must remain cognizant of the highly dynamic nature of the coronavirus—including changing societal infection rates, rising population vaccination rates, the potential emergence of new strains of the virus, the issuance of new CDC or other health guidance, the potential passage of new legislation, etc.—and be prepared to adjust their approach based on relevant developments. As always, we are available to help firms think through these important issues.
OSHA Issues Updated COVID-19 Guidance For All Workplaces
On June 10, 2021, the U.S. Occupational Safety and Health Administration (OSHA) issued updated guidance on mitigating and preventing the spread of COVID-19 in all workplaces. Though employers in all industries have been waiting for months for OSHA’s expected issuance of Emergency Temporary Standards (ETS), OSHA only issued an ETS applicable to healthcare workers, effectively ending the likelihood of COVID-19 emergency standards for other business sectors.
The updated guidance, which largely aligns with current CDC guidance, focuses on encouraging COVID-19 vaccination and protecting unvaccinated and otherwise at-risk workers. The guidance states that except for workplace settings covered by OSHA’s ETS (for healthcare settings) and mask requirements for public transportation, “most employers no longer need to take steps to protect their workers from COVID-19 exposure in any workplace, or well-defined portions of a workplace, where all employees are fully vaccinated. Employers should still take steps to protect unvaccinated or otherwise at-risk workers in their workplaces, or well-defined portions of workplaces.”
OSHA recommends employers do that by engaging with workers and their representatives to “determine how to implement multi-layered interventions to protect unvaccinated or otherwise at-risk workers and mitigate the spread of COVID-19,” including measures such as:
- Granting paid time off for employees to get vaccinated
- Instructing workers infected with COVID-19 or who have symptoms (or unvaccinated employees who have had close contact with an infected person) to stay home
- Implementing physical distancing for unvaccinated and other at-risk workers in communal areas
- Providing unvaccinated and otherwise at-risk workers with face coverings or surgical masks (unless their work task requires a respirator or other PPE)
The guidance is advisory in nature but does clearly reference mandatory safety and health standards throughout. Even though the guidance describes itself as voluntary, employers may wish to heed the guidance to avoid claims that they have failed to provide a safe workplace, in violation of the Occupational Safety and Health Act’s General Duty clause, Section 5(a)(1) (which requires employers to provide workers with a safe and healthful workplace).
OSHA Announces COVID-19 Emergency Temporary Standards For The Healthcare Industry
The Occupational Safety and Health Administration (OSHA) has announced that it will release Emergency Temporary Standards (ETS) for the health care industry as early as June 10, 2021. The ETS will apply to healthcare and healthcare support service workers with the goal of better protecting them from occupational exposure to COVID-19. This will include, among others, employees working in hospitals, nursing homes, assisted living facilities, and ambulatory care facilities. It will also include employees working as emergency responders (with private employers) and home healthcare workers.
What Is Required?
The ETS will require a health care industry employer with covered employees to conduct a hazard assessment and to prepare a written action plan for COVID-19 mitigation. The employers must also provide and ensure the use of requisite PPE (e.g., masks) and require proper social distancing (i.e., six feet) between workers (and erecting barriers if that is not possible). The ETS also requires covered employers to provide employees with paid time off in order to get vaccinated and to recover from any side effects. The ETS does, however, exempt fully vaccinated workers from the PPE and social distancing requirements in circumstances where there is no reasonable expectation that they will come in contact with anyone suspected or confirmed to have COVID-19.
When Must You Comply?
The ETS will take effect immediately upon its publication in the Federal Register. Employers will then have only 14 days within which to come into compliance with the majority of the requirements. OSHA has stated, however, that for the time being it will take into consideration an employer’s good faith efforts to comply with the ETS when determining whether to issue a citation for any violation.
How Long Will It Be In Effect?
The ETS would likely stay in effect until or unless it is superseded by a permanent standard (which can take approximately six months). Until that time, OSHA has stated that it will update the ETS, when necessary, to align with the Center for Disease Control and Prevention guidelines and to respond to changes in the COVID-19 pandemic.
CDC Extends Eviction Moratorium Through July
The Centers for Disease Control and Prevention (CDC) on Thursday announced a one-month extension to the nationwide pause on evictions put in place amid the coronavirus pandemic.
The eviction moratorium, which was set to expire this month, will now last through July under the new order, which is expected to be the final extension, the CDC said.
“The COVID-19 pandemic has presented a historic threat to the nation’s public health,” the CDC said in a statement. “Keeping people in their homes and out of crowded or congregate settings—like homeless shelters—by preventing evictions is a key step in helping to stop the spread of COVID-19.”
The federal moratorium allows tenants who have lost income during the pandemic to protect themselves from eviction by declaring under penalty of perjury that they have made their best effort to pay rent and would face overcrowded conditions if evicted.
The extended protections come as landlords and property owners have sought to evict tens of thousands of cash-strapped renters from their homes and as federal rental aid continues to make its way to needy tenants.
Some state governments, which bear responsibility for distributing more than $45 billion in federally funded rental assistance, have been slow to make disbursements.
A Biden administration official who briefed reporters on background Thursday was unable to provide specific details on how much federal assistance has been provided by states to date but added that “we are seeing a trajectory of increase.”
The eviction pause has also faced numerous legal challenges, including an emergency petition currently pending at the Supreme Court.
Earlier this month, a group of landlords asked the high court to effectively end the moratorium, writing in a court brief that property owners have lost $13 billion each month under the eviction freeze.
That petition came after a federal judge in Washington, D.C., ruled in May that the moratorium amounted to an unlawful government overreach. But the judge agreed to delay enforcement of that ruling while the Biden administration appealed. A federal appeals court declined to lift the stay.
Judges in other parts of the country have reached various conclusions about the policy’s lawfulness, creating a patchwork of legal interpretations nationwide.
The Justice Department continues to defend the moratorium’s lawfulness in court and earlier this month urged the Supreme Court to reject the landlords’ request to effectively end the policy.
Georgia Prohibits State-Implemented COVID-19 Vaccine Passport Programs And Restricts Disclosure Of Individuals’ Vaccination Status
On May 25, 2021, Governor Brian Kemp signed an Executive Order (Order) prohibiting any state agency, provider of state services, or state property from implementing a Vaccine Passport Program (VPP)1 or otherwise requiring an individual to provide proof of COVID-19 vaccination. The Order further states that no data from the Georgia Registry of Immunization Transaction and Services will be shared with public or private entities for the purpose of facilitating a VPP or for otherwise determining the COVID-19 vaccination status of any individual.
Critical Takeaways for Employers
While several states have recently issued orders prohibiting business from inquiring about a customer’s vaccination status, Georgia is the first to address whether proof of COVID-19 vaccination can be used as a condition of employment. Although a bit ambiguous, Georgia’s Order provides that “no state or agency employee shall be afforded employment-related privileges, accommodations or circumstances of employment or otherwise be held subject to different rules or requirements than other employees” based on COVID-19 vaccination status. Specifically, the Order provides that state agencies, providers of state services, and state properties are prohibited from requiring proof of COVID-19 vaccination as a condition to, among other things, being employed by or enjoying any other rights or privileges provided by the state.
Private employers are prohibited only from accessing or using data from the Georgia Registry of Immunization Transactions and Services or any other COVID-19 vaccination data held by the state for a VPP or to otherwise determine the vaccination status of individuals for, among other things, employment purposes. As such, while the Order prohibits private employers from accessing or using the vaccination data held by the state, the Order does not explicitly prohibit private employers from requesting proof of vaccination from their employees through any source other than the state-held data.
Importantly, private employers that elect to request proof of vaccination must be mindful they do not implicate the Americans with Disabilities Act by asking subsequent questions that might elicit information about a disability. The EEOC’s May 28, 2021 guidance clarifies that it believes a person’s vaccination status is medical information that an employer must keep confidential and stored separately from an employee’s personnel file. Additionally, while the Order does not address whether a private employer may condition employment or otherwise exclude individuals from the workplace if they refuse to provide proof of vaccination, this does not mean that private employers may do so with impunity. Before taking any such course of action, private employers must conduct an individualized analysis and determine whether any rights under federal or state law apply.
New Law Prohibits Florida Businesses From Requiring Vaccine Passport From Patrons And Customers
On May 3, Governor Ron DeSantis signed into law SB 2006 (codified as Section 381.00316, Florida Statutes). The law prevents business entities from requiring that patrons or customers provide documentation certifying COVID-19 vaccination or post-infection recovery to enter or obtain service from a business in Florida. It also prohibits educational institutions from requiring students or residents, and governmental entities from requiring persons, to provide vaccination passports or proof of post-infection recovery. The law does not prohibit screening protocols consistent with authoritative or controlling government-issued guidance, including those requiring facial coverings.
Although the law takes effect on July 1, 2021, as to the prohibition applicable to business entities, it effectively is an extension of signed Executive Order 21-81, which became effective in Florida on April 2, 2021. Violation of SB 2006 can result in a fine of up to $5,000 per violation. SB 2006 includes certain exemptions, including health care providers.
Like Executive Order 21-81, Section 381.00316 does not appear to prohibit business from requiring their own employees from showing proof of vaccination. Employers must, however, carefully analyze how such a requirement may be affected by the Americans with Disabilities Act, Title VII’s religious protections, and other laws.
Businesses must balance the new statutory mandate against requiring vaccine passports for patrons and customers with potential liability exposure for spreading COVID-191 and the duty to protect employees. As a result, businesses that have not already done so should consider updating their COVID-19-related policies and employee handbook to require compliance with authoritative or controlling government-issued health standards or guidance to prevent the spread of COVID-19.
Texas Passes Bill Prohibiting Businesses From Requiring Vaccine Passports For Customers, But Not Employees
On June 7, 2021, Texas Gov. Greg Abbott continued to emphasize that Texas is open for business by signing into law S.B. 968, which prohibits Texas businesses from requiring customers to provide documentation of COVID-19 vaccination—including through the use of “vaccine passports”—to gain access to or receive service from the business. The law went into effect immediately and specifically prohibits Texas businesses from requiring that customers “provide any documentation certifying the customer’s COVID-19 vaccination or post-transmission recovery on entry to, to gain access to, or to receive service from the business.” The penalty for failure to comply with the law may be significant, as Texas businesses that fail to comply are not eligible to receive state grants or enter into contracts with the state.
Texas businesses may be wondering what effect S.B. 968 may have on their ability to require employees to be vaccinated or to utilize “vaccine passports” for return of employees to work. As noted above, the language of the bill limits its applicability to customers and does not address the employee-employer relationship. Moreover, the bill expressly provides that it may not be construed as “restrict[ing] a business from implementing COVID-19 screening and infection control protocols in accordance with state and federal law to protect public health.”
On May 28, 2021, the U.S. Equal Employment Opportunity Commission (EEOC) issued updated guidance on the COVID-19 vaccine and explained that “federal EEO laws do not prevent an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19, subject to the reasonable accommodation provisions of Title VII and the ADA and other EEO considerations.” The updated EEOC guidance also confirmed that the laws do not prohibit employers from requiring employees to bring in documentation or other confirmation of vaccination status, so long as the information is kept confidential in accordance with the ADA. Thus, while Texas businesses may not require proof of vaccination from customers, Texas employers may still require employees to get vaccinated and provide proof of vaccination before returning to work, subject to the reasonable accommodation provisions of Title VII and the ADA and other EEO considerations.
New York State Updates COVID-19 Office Rules As Vaccination Numbers Continue To Rise
On June 8, 2021, the New York State Department of Health released updated interim guidance for office-based workplaces that removes significant prior restrictions. This new guidance comes on the heels of Governor Andrew Cuomo’s recent announcement that once 70% of adult New Yorkers have received at least the first dose of the COVID-19 vaccine, almost all applicable guidance will become optional, except that unvaccinated individuals still need to wear face coverings and maintain social distancing. According to Governor Cuomo, New York is expected to hit the 70% threshold during the week of June 14, if not earlier.
The updated Interim Guidance for Office-Based Work During the COVID-19 Public Health Emergency (Office Guidelines) represents the most substantive overhaul of New York’s guidance to office-based workplaces since it was first implemented last year, including updates to prior guidance on physical distancing, face coverings, workplace activity, reopening processes, and screening/testing. The most significant changes are outlined below.
Screening and Testing
Perhaps most significantly, the Office Guidelines no longer mandate a daily health screening questionnaire for employees reporting to work at an office. While employers are still required to implement health screenings, they may meet the screening requirement using signage at points of entry, by email/website, by telephone, or by electronic survey.
A screening sign or procedure should state that an employee should not enter the office if they (1) are currently or have recently (within the last 48 hours) experienced symptoms of COVID-19; (2) have had close contact (or proximate contact) in the last 10 days with any person confirmed by diagnostic test, or suspected based on symptoms, to have COVID-19; or (3) have tested positive for COVID-19 in the last 10 days.
Notably, the Office Guidelines provide that individuals need not be screened for close contacts with COVID-19 if the individuals being screened are fully vaccinated or if they have fully recovered from a lab-confirmed COVID-19 case within the last three months. Such individuals instead should monitor for COVID-19 symptoms for 14 days following an exposure.
As discussed in previous LawFlashes (Multiple States, Including the New York Tristate Area, Announce Significant Rollback of COVID-19 Capacity Limit Restrictions and New York to Implement CDC Guidance on Indoor Mask Use and Social Distancing), New York State recently eliminated most capacity restrictions and adopted the Centers for Disease Control and Prevention (CDC) guidance providing that fully vaccinated individuals do not need to wear a face covering or socially distance in most settings.
The updated Office Guidelines incorporate New York’s adoption of the CDC guidance, providing that businesses may allow for fully vaccinated employees to return to offices at full capacity without requiring such employees to wear a face covering or socially distance. Businesses may choose to adopt the CDC guidance for the entire establishment or a separate, designated part of the establishment. Businesses still have the option to require face coverings and six feet of social distancing for employees regardless of vaccination status if they choose to do so. While New York State does not require that businesses obtain proof of vaccination, the Office Guidelines provide that businesses may obtain proof of full vaccination status via paper or digital form, or the state’s Excelsior Pass.
Businesses are still directed to require unvaccinated employees to wear face coverings and maintain six feet of social distancing. Businesses may also use their discretion in determining how they wish to apply guidelines for vaccinated individuals and unvaccinated individuals, or those whose vaccination status is unknown. Such steps may include posting signage asking unvaccinated individuals to socially distance and continue to wear face coverings; designating separate elevators for vaccinated and unvaccinated individuals; and setting maximum space capacity for unvaccinated individuals to the extent needed to maintain the required social distance. Similarly, in other small spaces (e.g., storage or supply closets), businesses should ensure indoor occupancy does not exceed the capacity required to maintain social distance, if necessary, as set forth by the Office Guidelines, unless it is designed for use by a single occupant or all individuals are fully vaccinated.
In areas where vaccination status is unclear or in unvaccinated sections of an establishment, businesses must ensure that a distance of at least six feet is maintained between all employees, barring a core business activity requiring a shorter distance.
The Office Guidelines also remove several previous recommendations for physical distancing. For example, businesses are no longer encouraged or required to close or adjust common seating areas, and “strict clean desk policies” are no longer recommended. Physical barriers are no longer required, but if used should be put in place in accordance with Occupational Safety and Health Administration (OSHA) guidelines.
Importantly, the Office Guidelines no longer encourage allowing employees to work from home, though employers may of course continue to permit employees to do so. The Office Guidelines also provide that formerly required measures to reduce interpersonal contact and congregation are now just recommendations. Such measures could include adjusting hours, reducing an in-office workforce, shifting an office’s design, and staggering tasks.
The Office Guidelines no longer encourage businesses to engage in either remote work or phased reopening activities.
Given the Office Guidelines, New York employers can permit fully vaccinated individuals to return at full capacity without social distancing and without wearing face coverings while at work. However, the Office Guidelines continue to require multiple reopening measures. For example, businesses must still create and post mandatory site safety plans and designate monitors to ensure compliance with those plans, maintain logs with the time and scope of all cleanings and disinfection, report positive cases and cooperate in contact tracing efforts by local health departments, prohibit shared self-serve meals and beverages among employees, and attest to having reviewed and understood the Office Guidelines before reopening.
Because the Office Guidelines distinguish between vaccinated and unvaccinated employees, employers should consider retaining documentation (or at least an affirmation) of an employee’s vaccination status, while being mindful that such records should be treated as confidential information and maintained in a secure location separate and apart from the employee’s personnel files (similar to how employers were required to treat daily attestations). If businesses choose not to maintain proof of vaccination, they should consider how to comply with the new guidance and clearly communicate in advance with all individuals who will enter their businesses—whether via signage at points of entry, email, or website posting—regarding their approach to vaccinations.
Finally, as the vaccination rate quickly approaches the 70% threshold at which Governor Cuomo stated most COVID-19 requirements will instead become recommendations, employers should closely monitor for forthcoming updates regarding changes to the remaining requirements applicable for their industries.
NYC Tenant Data Privacy Act
Owners of New York City apartment buildings should take notice of the new Tenant Data Privacy Act (the TDPA). The TDPA will regulate the collection, use, safeguarding, and retention of tenant data by owners of “smart access” residential buildings. The new law was enacted on May 30, 2021 and will become effective at the end of June 2021. Owners of New York City residential buildings will have until January 1, 2023, to come into compliance.
New Policies Under the TDPA
The TDPA defines smart access buildings as any multiple dwelling that uses an electronic keyless entry system (e.g. a key fob), radio frequency identification cards, mobile apps, biometric information or other digital technology to access a multiple dwelling, common areas or individual units. A multiple dwelling is a residential building with at least three units.
Under the TDPA, landlords of smart access buildings will be required to do the following:
- Obtain express consent from tenants, either in writing or through a mobile application, before collecting reference data. Smart access systems use reference data to verify that an individual is authorized to enter.
- Implement security measures to protect tenants’ data, such as encryption, password reset capability and regular updates to firmware that address security vulnerabilities.
- Destroy authentication data no later than 90 days after collection. Authentication data is generated at the point of authentication when granting a user entry to a smart access building.
- Limit the categories of collected data to (i) name, (ii) preferred method of contact, (iii) lease information, (iv) unit number, (v) biometric identifier information, (vi) time and method of access (only for security purposes), (vii) password and username used to grant entry and (viii) identifying information associated with the smart access hardware.
Prohibited Practices Under the TDPA
Landlords and any other entities that collect data through smart access systems will be prohibited from selling or disclosing tenant data to third parties, engaging in location tracking outside the premises, and determining the frequency of tenant and guest ingress/egress. Landlords will also be prohibited from collecting information about tenants’ use of internet services and utilities.
The TDPA creates a private right of action for tenants whose data is sold and used in violation of the TDPA. Such tenants may seek compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, as well as attorneys’ fees. Whether the law grants such rights to tenants of a cooperative remains an open question. In addition to the private right of action granted to tenants, landlords and system providers will be required to delete any data collected in violation of the TDPA.
New York City Releases A New Biometric Law Bringing With It A Private Right Of Action
New York City’s new biometric law (the “biometric identifier information” law), which will go into effect on July 9, 2021, imposes notice requirements, broadly prohibits the sale of biometric information, and, notably (and arguably most concerning for New York City businesses), creates a private right of action (applicable to any consumer in New York City, not just a New York City or even a New York State resident).
New York City’s law has two broad aims. First, it imposes a notice and disclosure requirement on businesses that collect consumer biometric information. Second, it prohibits the exchange of consumer biometric information for anything of value.
Under this new law, “‘biometric identifier information’ means a physiological or biological characteristic that is used by or on behalf of a commercial establishment…to identify, or assist in identifying, an individual.” The definition also provides a non-exhaustive list of examples, including “(i) a retina or iris scan, (ii) a fingerprint or voiceprint, [and] (iii) a scan of hand or face geometry, or any other identifying characteristic.” Further, the law is applicable to any “commercial establishment,” or “place of entertainment, a retail store, or a food and drink establishment.” Interestingly, a “place of entertainment” is broadly defined as “any privately or publicly owned and operated entertainment facility such as a theatre, stadium, arena, racetrack, museum, amusement park and observatory, or other place where attractions, performances, concerts, exhibits, athletic games or contests are held.” The law also encompasses consumer retail stores and restaurants (including food trucks and/or food vendors).
Notably, a “‘customer’ means a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment[,]” and is applicable to any consumer (not just a New York City or New York State resident).
The below will briefly outline some of the key requirements and prohibitions imposed by New York City’s law.
1. Collection notice requirement:
A commercial establishment that “collects, retains, converts, stores or shares biometric identifier information of customers” must place a “clear and conspicuous sign” near all consumer entrances that, in plain language, discloses the collection, retention, or sharing of biometric information. This notice is required even if an establishment does not actively collect biometric identifier information.
This provision is not applicable to financial institutions, which are broadly defined but is applicable to “commercial establishment[s]” that primarily sell goods and services, where the issuance of credit cards or in-store financing is incidental or limited. Likewise, it is inapplicable to instances where the biometric information is not “analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics” and is not sold or leased to third parties (unless the third-party is a law enforcement agency).
2. Sale prohibition:
In addition to the notice provision, it is unlawful to “sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.” Interestingly, this provision does not appear to be limited to commercial establishments. For example, financial institutions are not specifically exempted, employee information may arguably be subject to the prohibition, and the law is silent on sharing biometric information absent any form of compensation.
3. Enforcement and damages:
As stated, the most notable risk is an “aggrieved” consumer’s private right of action. More specifically, “[a]ny person who is aggrieved by a violation by this chapter” is entitled to commence an action to enforce its protections. Significantly, although the law provides a 30-day cure period where a business does not comply with the notice requirement, there is no corollary cure period where a business violates the prohibition on the sale of biometric identifier information. In terms of the scope of damages, there is a $500 fine where a business violates the notice requirement or negligently violates the sale prohibition. However, if the violation of the sale prohibition is intentional or reckless, there is a $5,000 fine. Further, in addition to the availability of equitable relief (an injunction), a prevailing plaintiff may also recover attorneys’ fees, costs, and whatever other relief a court may deem appropriate.
We note that the availability of a private right of action does create an avenue for potential class litigation, and it will be interesting to see the evolution of theories in response to the law.
“[G]overnmental agencies, employers, or agents” are expressly excluded from compliance with any provision of this law.
In the absence of federal and New York State-specific legislation, we are continuing to monitor and assess the potential impact of this law, along with other biometrics-specific law in New York City. Another recent development in this space is the Tenant Data Privacy Act, which requires owners of multifamily smart access buildings to provide tenants with privacy policies and restrict the usage of data gathered from keyless entry systems. Enacted on May 28, 2021, and due to go into effect 60 days thereafter (note: this law will pass after Mayor de Blasio neither signed nor vetoed it on June 1, 2021), this act provides a grace period for existing smart access building owners until January 1, 2023.
Montana Will Protect Off-Duty Use Of Marijuana Next Year
Montana Governor Greg Gianforte signed legislation on May 18, 2021 that will provide protections for off-duty use of marijuana starting on January 1, 2022.
Montana citizens voted to legalize recreational marijuana in November 2020. The ballot initiative did not provide employment-related protections and focused on employer restrictions of on-duty use of the drug. The newly-signed recreational marijuana law still permits employers to take action based on the use of marijuana while working. Specifically, the law does not:
- Require employers to permit or accommodate recreational marijuana use (or other conduct permitted by the recreational marijuana law) in any workplace or on the employer’s property;
- Prohibit an employer from disciplining an employee for violation of a workplace drug policy or for working while intoxicated by marijuana or marijuana products;
- Prevent an employer from declining to hire, discharging, disciplining, or otherwise taking adverse employment against an individual because of the individual’s violation of a workplace drug policy or intoxication by marijuana or marijuana products while working;
- Prohibit an employer from including in any contract a provision prohibiting the use of marijuana for a debilitating medical condition; or
- Permit a cause of action against an employer under the State’s wrongful discharge or freedom from discrimination law.
However, employers should take note that the new bill also amended the lawful off-duty conduct statute. As revised, marijuana will be considered a “lawful product” under the law and employers may not refuse to hire or discriminate against an individual with respect to compensation, promotion, or the terms, conditions or privileges of employment because the individually legally uses marijuana off the employer’s premises during nonworking hours.
Notwithstanding the above restrictions, an employer can take action based on off-duty marijuana use if:
- The use of marijuana affects in any manner an individual’s ability to perform job-related employment responsibilities or the safety of other employees;
- The use of marijuana conflicts with a bona fide occupational qualification that is reasonably related to the individual’s employment;
- An individual has a professional services contract with an employer (on a personal basis) and the unique nature of the services provided authorizes the employer, as part of the service contract, to limit the use of certain products;
- The employer is a nonprofit organization that, as one of its primary purposes or objectives discourages the use of marijuana by the general public; or
- The employer acts based on the belief that its actions are permissible under an established substance abuse or alcohol program or policy, professional contract, or collective bargaining agreement.
For employers with drug testing programs, it may be difficult to take adverse employment actions for positive marijuana test results, particularly for pre-employment and random drug tests. In addition, the law does not define “intoxication.” Moreover, Montana has a restrictive drug testing statute that limits the categories of employees who can be subjected to employer drug testing in the first place.
Montana employers are encouraged to review their policies regarding marijuana and drug testing before the law takes effect on January 1, 2022.
The New York HERO Act: Guidance For Employers
On May 5, 2021, Governor Cuomo signed the New York Health and Essential Rights Act (the “HERO Act” or “Act”), which amends the New York Labor Law by adding two new sections imposing significant health and safety obligations on employers in response to the COVID-19 pandemic. Section 1 of the HERO Act adds a new Section 218-b to the Labor Law requiring all private employers to adopt an airborne infectious disease exposure prevention plan and provide the plan to all employees and prohibiting discrimination and retaliation against employees who exercise their rights under the Act. Section 2 of the HERO Act adds a new Section 27-d to the Labor Law requiring private employers of ten or more employees to allow employees to establish and administer a joint labor-management workplace safety committee.
Section 1 of the HERO Act takes effect on June 4, 2021, and Section 2 takes effect on November 1, 2021. However, a bill was recently introduced in the New York State Assembly (A.7747) to modify some of the terms of the HERO Act. One of the proposed amendments in Assembly Bill A.7747 would extend the effective date of Section 1 from 30 days to 60 days after the Act became law.
Section 1—Airborne Infectious Disease Exposure Prevention Plans
Section 1 of the HERO Act applies to all employers in New York State, except state or governmental agency employers, and covers any person providing services to such an employer, regardless of immigration status, including: 1) part-time workers; 2) independent contractors; 3) domestic workers; 4) temporary and seasonal workers; 5) individuals working for staffing agencies; and 6) individuals delivering goods or transporting people at, to or from the work site.
Adoption of the Model Standard or Individual Safety Plan
Section 1 of the Act requires the commissioner of the New York Department of Labor, in consultation with the Department of Health, to create and publish a “model airborne infectious disease exposure prevention standard for all work sites, differentiated by industry, to establish minimum requirements for preventing exposure to airborne infectious diseases in the workplace in order to protect the public and the workforce.” The model standard must develop protocols addressing several topics, including but not limited to: 1) employee health screenings; 2) face coverings; 3) personal protective equipment required by industry and at the employer’s expense; 4) accessible hand hygiene stations, including insuring that employers provide adequate break time for handwashing; 5) regular cleaning and disinfecting of shared equipment and frequently touched surfaces (i.e., workstations, telephones and doorknobs); 6) social distancing protocols for employees and third parties; 7) compliance with mandatory or precautionary orders of isolation or quarantine issued to employees; 8) compliance with applicable engineering controls such as proper air flow and exhaust ventilation; 9) designation of one or more supervisory employees to enforce compliance with the airborne infectious disease exposure prevention plan and any other federal, state, or local guidance related to avoidance of spreading an airborne infectious disease; 10) compliance with notification requirements to employees and relevant state and local agencies; 11) verbal review of infectious disease standards, employer policies and employee rights; and 12) anti-retaliation provisions.
Employers must either adopt and comply with the labor commissioner’s model plan relevant to their industry or develop their own plan that meets or exceeds the minimum standards provided by the model plan and the Act. If an employer adopts its own airborne infectious disease exposure prevention plan, the employer must develop the plan in consultation with the collective bargaining representative in a unionized workforce or with “meaningful” employee participation in a non-unionized workforce. An employer-developed plan must also be “tailored and specific to hazards in the specific industry and work sites” of the employer. The Act does not currently include a deadline for employers to adopt a plan once the labor commissioner publishes the model plan. One of the proposed amendments in Assembly Bill A.7747 would impose a 30-day deadline for employers to adopt a plan after the commissioner publishes the model standard relevant to their industry.
The Act requires the labor commissioner to publish the model plan in both English and Spanish, and other languages at the commissioner’s discretion based on the size of the population speaking each language and the prevalence of certain languages in particular industries. Employers must provide their airborne infectious disease exposure prevention plan to all employees in writing in English and in an employee’s identified primary language (to the extent the model airborne infectious disease exposure prevention plan is available in the employee’s identified primary language) upon the effective date of the HERO Act, upon hiring, and upon reopening after a period of closure due to airborne infectious disease.
Employers also must post their airborne infectious disease exposure prevention plan in a visible and prominent location within their worksites and include the plan in any employee handbook. The Act also requires employers to make their airborne infectious disease exposure prevention plan available, upon request, to all employees and independent contractors, employee representatives, collective bargaining representatives, and the commissioners of labor and public health.
Section 1 of the Act prohibits employers from discriminating, retaliating or taking adverse action against any employee for: 1) exercising their rights under Section 1 of the Act or under the applicable airborne infectious disease exposure prevention plan; 2) reporting violations of Section 1 of the Act or the applicable airborne infectious disease exposure prevention plan to any state, local, or federal government entity, public officer or elected official; 3) reporting an airborne infectious disease exposure concern to, or seeking assistance or intervention with respect to airborne infectious disease exposure concerns from, their employer, state, local, or federal government, public officer or elected official; or 4) refusing to work when the employee reasonably believes, in good faith, that such work exposes the employee, other employees or the public to an unreasonable risk of exposure to an airborne infectious disease due to the existence of working conditions that are inconsistent with law, including but not limited to the minimum standards provided by the model airborne infectious disease exposure prevention standard, with some exceptions.
The commissioner of labor may assess a penalty of not less than $50 per day for employers who fail to adopt an airborne infectious disease exposure prevention plan, and no less than $1,000 and no more than $10,000 for failing to abide by an adopted plan. Section 1 of the Act also permits employees to seek injunctive relief and for the courts to award costs, including reasonable attorneys’ fees, and liquidated damages up to $20,000.
Section 2—Workplace Safety Committee
Section 2 of the HERO Act applies to all private employers of at least ten employees. “Employees” are defined in Section 2 of the Act as all employees in the state of New York, except employees of the state, any political subdivision of the state, a public authority, or any other governmental agency.
Joint Labor-Management Workplace Safety Committee
Section 2 of the Act requires covered employers to permit employees to establish and administer a joint labor-management workplace safety committee. The committee shall be made up of employer and employee designees and must be comprised of at least two-thirds non-supervisory employees. The Act requires that employee members of the committee be chosen by, and from among, non-supervisory employees. Additionally, the committee must be co-chaired by a representative of the employer and non-supervisory employees.1 Section 2 of the Act also authorizes the creation of multiple committees representing geographically distinct worksites as necessary. Employers are prohibited from interfering with the selection of employees who serve on the committee.
The Act authorizes workplace safety committees to: 1) raise health and safety concerns, hazards, complaints and violations to the employer to which the employer must respond; 2) review and provide feedback on any workplace health and safety policy required by any provision of the HERO Act or the workers’ compensation law; 3) review the adoption of any policy in the workplace in response to any health or safety law, ordinance, rule, regulation, executive order, or other related directive; 4) participate in any site visit by any governmental entity responsible for enforcing safety and health standards in a manner consistent with any provision of law; 5) review any report filed by the employer related to the health and safety of the workplace in a manner consistent with any provision of law; and 6) schedule a meeting during work hours at least once per quarter. Employers must also permit safety committee designees to attend a training on the function of worker safety committees, rights established under Section 2 of the Act, and an introduction to occupational safety and health without loss of pay.
Employers are prohibited from retaliating against any employee who participates in the activities or establishment of a workplace safety committee. Employers who violate the anti-retaliation provision may be subject to penalties, including: 1) assessment of a civil penalty from $1,000 to $10,000; 2) injunctive relief; 3) liquidated damages up to $20,000; 4) costs and reasonable attorneys’ fees to the employee; 5) ordering rehiring or reinstatement of the employee to their former position with restoration of seniority or an award of front pay in lieu of reinstatement, and an award of lost compensation and damages.
Employers will have to act promptly either to adopt the model airborne infectious disease exposure prevention plan once issued by the State or to develop their own plan in compliance with Section 1 of the Act given Section 1, absent amendment, goes into effect on June 4, 2021. Employers should consult with counsel to ensure that their plans and employee handbooks and health and safety policies are compliant with the HERO Act.
Colorado Privacy Act Passes State Senate, Awaits Approval By Governor
On June 8, 2021, the Colorado Senate passed the Colorado Privacy Act (CPA) which, upon approval by Colorado’s governor, will go into effect on July 1, 2023. The CPA follows in the tradition of the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA) by creating consumer rights and imposing requirements on businesses to guarantee greater protections over consumers’ personal data.
Application The CPA applies to entities that conduct business or intentionally target products or services to Colorado residents, and that either: control or process personal data of more than 100,000 consumers per calendar year directly or through processors; or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. The CPA contains notable exclusions for financial institutions subject to the federal Gramm-Leach-Bliley Act and for some types of health and patient information maintained by HIPAA covered entities.
Personal Data “Personal data” under the CPA is defined more broadly than “personal information” is defined in Colorado’s existing data security law. The CPA defines personal data to include “information that is linked or reasonably linkable to an identified or identifiable individual.” Neither publicly available nor de-identified information are included within this definition. As such, the CPA’s definition differs substantially from the Colorado data security statute’s definition of “personal information,” which is limited in scope to a Colorado resident’s first name or first initial and last name in combination with specific data elements, including (but not limited to) a Social Security number, student ID, military ID, drivers’ license or other state ID card, and/or passport information.
Consumer Rights The CPA provides rights to “consumers”, which include only Colorado residents acting in an individual or household context, and expressly exclude individuals acting in a commercial or employment context. The CPA grants consumers several rights, including the right to: opt out of certain personal data processing; access their personal data; correct inaccurate personal data; and delete personal data. Consumers are also granted the right to obtain copies of their data in portable and—to the extent possible—readily usable formats. Consumers can exercise these rights by submitting formal requests, to which data controllers must respond without undue delay and within 45 days from the date the request is received. Where requests are numerous or complex, data controllers can extend the initial 45-day period by an additional 45 days, provided that notice of this extension is given to the consumer who made the request.
New Requirements for Regulated Businesses The CPA requires controllers and processors to implement appropriate technical and organizational measures to ensure a level of security proportionate to the risks of data collection and processing. Controllers must also conduct data protection assessments for data processing that presents a heightened risk of harm to consumers, such as data processing for the purpose of targeted advertising or the processing of specific types of sensitive data that may include ethnic, religious, or medical information.
The CPA imposes duties on data controllers to uphold consumers’ rights under the Act, requiring transparency in privacy practices, measures to secure personal data, specified purposes for which personal data is collected and used, and minimization of personal data. It also requires consumer consent for any secondary use of personal data and/or processing of sensitive data. Data controllers must also avoid unlawful discrimination against consumers in line with anti-discrimination laws in place at the state and federal levels.
Enforcement Unlike the CCPA, the CPA does not create a private right of action allowing individual consumers to sue for violations. Instead, Colorado’s attorney general and district attorneys have exclusive enforcement powers, which enable them to impose penalties up to $20,000 per violation for each consumer involved. The maximum penalty Colorado’s attorney general and district attorneys can impose under the CPA is $500,000 for one series of related violations.
Will Regulators Issue Rules or Guidance on the CPA? The Colorado attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms under the CPA by no later than July 1, 2023. At the attorney general’s discretion, further rules governing processes for issuing opinion letters and interpretive guidance may be issued and adopted until January 1, 2025.
Though the CPA will not go into effect until July of 2023, businesses that are regulated by the Act would do well to take a proactive approach to ensure their practices are compliant with the CPA and that they have the necessary protocols and mechanisms in place to respond to consumers’ requests by the time the statute goes into effect. Lewis Brisbois’ Data Privacy & Cybersecurity Team has considerable experience advising businesses on such matters and working closely with senior leadership to craft appropriate policies and procedures to ensure compliance with all state and federal data security regulations
Texas Passes Bill Allowing Public Listing Of Data Breaches, Effective Sept. 1, 2021
On May 31, 2021, the Texas Legislature approved House Bill 3746, which amends the Texas Business and Commerce Code § 521.053 relating to certain notifications required following a data breach involving Texas residents.
The bill includes the existing requirement that any business or entity notify the attorney general of a data breach within 60 days of its occurrence if the breach involves at least 250 Texas residents. The notice must include the nature and circumstances of the breach, the number of residents involved, the number of residents who were sent a notice letter, the measures taken regarding the breach and whether law enforcement is engaged in investigating the breach. In our discussions, with the Texas attorney general’s office, they encourage reporting entities to utilize the online reporting portal.
Notably, the bill allows the attorney general to post on its website a public listing of the data breach notifications received, excluding any sensitive personal information, which will be updated monthly. After one year, the attorney general will remove the posted notification if the entity has not reported any additional breaches during that period.
Once the bill is signed by Texas Gov. Greg Abbott, it will take effect beginning Sept. 1, 2021.
New Philadelphia Ordinance Prohibits Pre-Employment Marijuana Testing
Philadelphia recently passed an ordinance that prohibits employers from requiring “a prospective employee to submit to testing for the presence of marijuana in such prospective employee’s system as a condition of employment.” The ordinance will take effect on January 1, 2022 and applies to any person doing business in the city who employs one or more employees. The ordinance does not prohibit pre-employment testing of certain types of employees, including police and other law enforcement positions, any position requiring a commercial driver’s license, and any position that requires the supervision or care of children, medical patients, disabled people, and other vulnerable persons. Also, there are exceptions from the pre-employment testing prohibition, for instance, where drug testing would otherwise be required by applicable law, including a federal or state statute or regulation; where the federal government requires testing as a condition of the receipt of a contract or grant; or where testing is pursuant to a valid collective bargaining agreement.
Philadelphia is not the first jurisdiction to pass legislation of this sort. New York City’s council passed an amendment to its administrative code in 2019 with substantially similar language. In addition, Atlanta, Washington, DC, Rochester, NY, and Richmond, VA, all prohibit pre-employment marijuana screening for certain public employees. Nevada, which allows recreational marijuana use, prohibits both public and private employers from refusing to hire a prospective employee because of a positive marijuana screening, with similar exceptions for law enforcement and public safety positions.
Other jurisdictions with statutes legalizing marijuana use for recreational purposes, including New York, New Jersey, and Maine, prohibit employers from taking adverse employment action against employees solely because of their marijuana use outside of the workplace. Although these states do not ban pre-employment screening for marijuana outright, employers cannot reject applicants based on a positive test for marijuana, except when federal law requires such testing. California legalized recreational marijuana five years ago. A bill is currently working through its state legislature, which if passed, would prohibit employers from discriminating or taking adverse action against employees and applicants on the basis of a positive marijuana test.
As more states legalize marijuana for both medical and recreational use, it is likely that employers will be restricted in additional jurisdictions from testing applicants for marijuana. Employers should take heed of state and local laws in their jurisdiction before testing their applicants and employees for the presence of marijuana.
Connecticut Passes Law Requiring Disclosure Of Wage Ranges To Applicants And Employees
On June 7, 2021, Governor Lamont signed House Bill Number 6380, which requires employers to disclose to applicants and employees the salary ranges for positions. Significantly, the law also expands Connecticut’s prohibition of gender-based pay discrimination to require equal pay for “comparable,” as opposed to “equal,” work. The bill, entitled “An Act Concerning the Disclosure of Salary Ranges,” goes into effect October 1, 2021.
Under the new law, an employer is prohibited from:
- Failing or refusing to provide an applicant for employment the wage range for a position for which the applicant is applying, upon the earliest of (a) the applicant’s request, or (b) prior to or at the time the applicant is made an offer of compensation; or
- Failing or refusing to provide an employee the wage range for the employee’s position upon (a) the hiring of the employee, (b) a change in the employee’s position with the employer, or (c) the employee’s first request for a wage range.
An employee or prospective employee may bring an action in court to redress any violation of these requirements within two years of the violation. A successful claimant can obtain compensatory damages, attorney’s fees and costs and even punitive damages. The nature of any compensatory damages that could flow from failure to disclose pay ranges is not specified by the statute.
The law defines “wage range” as: “[T]he range of wages an employer anticipates relying on when setting wages for a position.” The definition also provides that the “wage range” may include reference to any applicable pay scale, previously determined range of wages for the position, actual range of wages for those employees currently holding comparable positions or the employer’s budgeted amount for the position.
Employers could face increased litigation and potentially significant liability from additional provisions of the new law that implement a “comparable worth” cause of action for wage disparity. Until amended by the Act, Connecticut’s prohibition on gender-based pay discrimination provided that an employer could not pay an employee less than what the employer was paying an employee of the opposite sex for equal work. The Act now expands this prohibition to state that an employer cannot pay an employee less than what the employer is paying an employee of the opposite sex for comparable work. The test for whether work is “comparable” will be determined “when viewed as a composite of skill, effort and responsibility and performed under similar working conditions.” An employer seeking to justify a discrepancy in pay will have the burden of showing that the difference is based on factors other than gender, such as credentials, skills and/or geographic location, in addition to those already enumerated in the statute (i.e., education, training and experience). However, the employer bears the burden of proof on these factors if it wishes to assert them as special defenses in response to such a claim.
Notably, Connecticut’s new law regarding disclosure of salary ranges is among the first such legislation passed on this topic in the United States. Employers should consider adopting policies and practices that respond to the new law by its October 1, 2021 effective date, including the development of bona fide salary ranges based on objective criteria. It would also be prudent for employers to review existing salaries to identify and address disparities that could pose a risk of claims and litigation under the “comparable worth” standard of the new law.
Connecticut Legalizes Adult-Use Cannabis
After a special legislative session, the Connecticut Senate passed An Act Concerning Responsible and Equitable Regulation of Adult-Use Cannabis on June 17, 2021, following the Connecticut House’s passage of the bill on June 16, 2021. Governor Ned Lamont has indicated that he intends to sign the bill into law. The law was previously passed by the Connecticut Senate but was filibustered in the Connecticut House, thereby necessitating the special session. The new law will legalize adult-use cannabis for adults 21 and over and provides for the licensure of cultivators, retailers, manufacturers, and delivery services under the supervision of the Department of Consumer Protection. Like other Northeast states, Connecticut’s law puts a heavy emphasis on social equity, requiring half of all licenses to go to social equity applicants. Further, the state will provide assistance to these applicants in getting their business started. Additional highlights include:
- Adults 21 and over may possess up to 1.5 ounces of cannabis starting July 1, 2021 and may store up to 5 ounces in their residence or vehicle.
- Automatic expungement of convictions for possession of under four ounces of cannabis. However, automatic expungement will not begin until 2023, and will apply only to convictions between January 1, 2000 and September 15, 2015, with others needing to petition to have their convictions expunged.
- Adults 21 and over may grow up to three mature and three immature plants starting July 1, 2023. Medical patients 18 and over may begin growing plants October 1, 2021.
- Employers may not take adverse action against workers for positive cannabis metabolite tests.
- The smell of cannabis is no longer probable cause to stop and search individuals. Adults between 18 and 20 face a civil fine for possession. Minors would be subject to a written warning for their first two offenses but can face more severe penalties for subsequent offenses.
- Localities may prohibit cannabis businesses.
- Flower will be capped at 30% THC on a dry-weight basis, whereas all other products will be capped at 60% on a dry-weight basis. The 60% THC cap on other cannabis products does not apply to pre-filled cartridges for electronic cannabis delivery systems.
- Cannabis sales will be subject to a THC-based excise tax, a 3% municipal tax, and Connecticut’s state sales tax. At first, the state-based taxes will go towards Connecticut’s general fund, but beginning June 30, 2023, 60% of tax revenue will go towards the Social Equity and Innovation Fund. That amount will gradually increase from 2026 to 2028.
- Social equity applicants will pay only 50% of the standard application fee for licenses, while medicinal dispensaries can pay $1 million in order to operate as a hybrid dispensary.
House Majority Leader Jason Rojas aims to have legal sales begin in May 2022.
Supreme Court Allows Coronavirus Eviction Moratorium To Remain In Place
A divided Supreme Court denied a request to block a U.S. Centers for Disease Control and Prevention order that prohibits landlords nationwide from evicting certain tenants who fail to pay rent amid the Covid-19 pandemic. The court’s order means the moratorium will remain in place until July 31.
Chief Justice John Roberts and Justice Brett Kavanaugh joined with the court’s three liberals to keep the moratorium in place. Justices Clarence Thomas, Samuel Alito, Neil Gorsuch and Amy Coney Barrett said they would have granted the request to lift it.
The current moratorium was set to expire Wednesday, but last week CDC Director Dr. Rochelle Walensky announced what she said was a “final” extension until July 31. In a statement she said that the pandemic has presented a “historic threat to the nation’s public health” and that “keeping people in their homes and out of crowded or congregate settings—like homeless shelters—by preventing evictions is a key step in helping to stop the spread of Covid-19.”
A group of landlords, real estate companies and real estate trade associations asked the justices to step in—on an emergency basis—arguing that “Congress never gave the CDC the staggering amount of power it now claims.”
They argue that the moratorium has resulted in “over $13 billion in unpaid rent per month.”
A district court ruled against the government, holding that the moratorium was unlawful but then the court put its ruling on hold pending appeal. The DC Circuit declined to lift the stay.
Acting Solicitor General Elizabeth Prelogar urged the justices to allow the moratorium to remain in effect for now. She told the justices in court papers that federal law authorizes the secretary of Health and Human Services, through the CDC, to adopt regulations to “prevent the introduction, transmission, or spread of communicable diseases” from one state to another.
She said the moratorium on residential evictions is “temporary” and is necessary because evictions would increase the risk of spreading Covid by forcing renters to move into shared-living or become homeless.
As he often does, Kavanaugh wrote to explain why he voted to allow the moratorium to remain in place. On the one hand, he said he agreed with the District Court that the CDC exceeded its statutory authority by issuing a nationwide moratorium.
But, he said, because the CDC has said it will end the moratorium in a few weeks he would allow it to remain in place. He said the extra weeks will “allow for additional and more orderly distribution of the congressionally appropriated rental assistance funds.”
Kavanaugh made clear however, that if the government were to extend the moratorium past July 31, it would need “specific congressional authorization.
Federal Judge Dismisses Texas Suit Challenging Employer’s COVID-19 Vaccination Mandate
In April, Houston Methodist Hospital announced its decision to mandate the COVID-19 vaccination for all employees. One hundred seventeen employees sued to block the mandate. But, on June 12th, one day after hearing oral argument, U.S. District Judge Lynn Hughes, issued an order dismissing the suit.
His order makes short work of the plaintiffs’ arguments.
They contended that terminating them for refusing the injection would constitute wrongful termination. Not so, says Judge Hughes. To prevail in a wrongful termination suit, the plaintiff must show that her employer terminated her because she refused to perform an illegal act, one carrying criminal penalties. But receiving a COVID-19 vaccination isn’t illegal and carries no criminal penalties.
Judge Hughes also rejects the plaintiffs’ argument that the vaccination mandate violates public policy. Texas law, he explains, recognizes no public policy exception to the employment at-will rule. And, if it did, the injection requirement comports with public policy. “The Supreme Court has held that (a) involuntary quarantine for contagious disease and (b) state-imposed requirements of mandatory vaccination do not violate due process.”
The plaintiffs argued that the injection requirement violates federal law because the Food and Drug Administration hasn’t fully approved the available vaccines. No matter says Judge Hughes. Federal law governing FDA approval for medications is inapposite to private employers and creates no private right of action.
Judge Hughes likewise rejects the plaintiffs’ contention that the vaccination mandate violates federal law governing protection for human subjects. That’s because the Hospital’s employees are not participants in a human trial.
They are licensed doctors, nurses, medical technicians, and staff members. The hospital has not applied to test the COVID-19 vaccines on its employees, it has not been approved by the institutional review board, and it has not been certified to proceed with clinical trials.
Judge Hughes aimed his harshest criticism at the plaintiffs’ contention that the injection requirement is invalid because it violates the Nuremberg Code, likening the threat of termination for refusing to be vaccinated to forced medical experimentation during the Holocaust
The Nuremberg Code does not apply because Methodist is a private employer, not a government. Equating the injection requirement to medical experimentation in concentration camps is reprehensible. Nazi doctors conducted medical experiments on victims that caused pain, mutilation, permanent disability, and in many cases, death.
Finally, Judge Hughes rejected the plaintiffs’ underlying premise, that Methodist Hospital was coercing the plaintiffs to be vaccinated.
Methodist is trying to do their business of saving lives without giving them the COVID-19 virus. It is a choice made to keep staff, patients, and their families safer. Bridges [—the lead plaintiff—] can freely choose to accept or refuse a COVID-19 vaccine; however, if she refuses, she will simply need to work somewhere else.
If a worker refuses an assignment, changed office, earlier start time, or other directive, he may be properly fired. Every employment includes limits on the workers’ behavior in exchange for remuneration. That is all part of the bargain.
Supreme Court Substantially Restricts Ability To Sue In Federal Court For FCRA, FDCPA, TCPA And Other Statutory Violations – Same Class Actions Now Difficult To Certify
On June 25, 2021, the Supreme Court of the United States held that a plaintiff must suffer a concrete injury resulting from a defendant’s statutory violation to have Article III standing to pursue damages from that defendant in federal court. The Court also held that plaintiffs in a class action must prove that every class member has standing for each claim asserted and for each form of relief sought.
Justice Kavanaugh wrote the majority opinion, which was joined by Chief Justice Roberts as well as Justices Alito, Gorsuch, and Barrett. Justice Thomas, often considered the Court’s most conservative member, wrote a dissent joined by Justices Breyer, Sotomayor, and Kagan. Justice Kagan also wrote a separate dissent that was joined by Justices Breyer and Sotomayor.
The Court’s decision in TransUnion LLC v. Ramirez is available at: Link to Opinion.
The road to this momentous decision began at a car dealership where the plaintiff sought to finance the purchase of a vehicle. When running a credit check, the dealership received a TransUnion credit report indicating that the plaintiff’s name matched a name on a list of “specially designated nationals” maintained by the United States Department of Treasury’s Office of Foreign Assets Control. The OFAC list contains the names of terrorists, drug traffickers, and other serious criminals deemed to be a threat to national security. After seeing his credit report, the dealership refused to sell a car to the plaintiff.
The following day, the plaintiff called TransUnion to request a copy of his credit file pursuant to 15 U.S.C. § 1681g(a)(1). TransUnion fulfilled the request and included a copy of the CFPB’s summary of rights as required by 15 U.S.C. § 1681g(c)(2). The documents sent to the plaintiff omitted the OFAC alert, so the following day TransUnion sent the plaintiff a second letter explaining that his name potentially matched a name on the OFAC list. However, the second letter did not include the CFPB’s summary of rights.
The plaintiff subsequently filed suit against TransUnion, asserting three claims under the Fair Credit Reporting Act (FCRA): (1) that in utilizing the OFAC list, TransUnion failed to follow reasonable procedures to ensure the accuracy of information in violation of 15 U.S.C. § 1681e(b); (2) that by omitting the OFAC information from the credit file TransUnion initially mailed to plaintiff in response to his request, TransUnion failed to provide plaintiff with all information in his credit file in violation of § 1681g(a)(1); and (3) that by failing to include another copy of the summary of rights in the second mailing to plaintiff, TransUnion violated § 1681(c)(2). The plaintiff also asserted those three claims on behalf of a class of all people in the United States to whom TransUnion mailed a follow-up OFAC notice without a summary of rights—i.e., those who received a mailing like the second mailing received by the plaintiff. There were 8,185 people in the class, but only 1,853 of them had their credit reports sent to creditors during the relevant time period.
The plaintiff prevailed on all three claims at trial and the jury awarded over $60 million ($984.22 in statutory damages and $6,353.08 in punitive damages for each member of the class). On appeal, the Ninth Circuit agreed that all members of the class had Article III standing, but the circuit court reduced the punitive damages award to just under $4,000 per class member, which brought the overall award to roughly $40 million. The Supreme Court granted certiorari.
The Supreme Court’s decision focused on whether each member of the class suffered a “concrete” injury and further developed its analysis of concreteness provided five years earlier in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016). In particular, the Court elaborated on the limits of Congress’s power to create statutory injuries that can form the basis of a lawsuit in federal court. After all, as the Court held in Spokeo, “Article III requires a concrete injury even in the context of a statutory violation.” And this means that “[o]nly those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.”
In further describing those Congressional limits, the Court cited recent FDCPA decisions from the Seventh and Eleventh Circuits. The Court agreed with the Eleventh Circuit (Trichell v. Midland Credit Mgmt., Inc., 964 F.3d 990, 999, n. 2 (11th Cir. 2020)) that Congress’s “say so” does not make an injury concrete. The Court also quoted the Seventh Circuit decision written by then-Judge (now Justice) Barrett in Casillas v. Madison Avenue Assocs., Inc., 926 F. 3d 329, 332 (7th 2019) to explain that “‘Article III grants federal courts the power to redress harms that defendants cause plaintiffs, not a freewheeling power to hold defendants accountable for legal infractions.’”
In determining whether the class members had standing, the Court examined whether the alleged injury bore a “close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts,” here the harm to one’s reputation resulting from defamation.
Starting with the 1,853 class members whose credit reports were disseminated to creditors, the Court noted that American law has long recognized that a person is injured when a defamatory statement is published to a third party. Therefore, class members whose credit reports were published to third parties were injured because those reports flagged them as potential terrorists.
Although the credit reports merely alerted users to a potential match on the OFAC list and did not falsely assert that any class member was a terrorist, the Court held that the harm associated with being described as a potential terrorist bears a sufficiently close relationship to being called a terrorist. Therefore, the Court affirmed the finding of standing on the § 1681e(b) claim for the plaintiff and the 1,853 members of the class whose credit reports were disseminated by TransUnion.
The Court then turned to the 6,332 class members whose credit reports were not disseminated and questioned whether they suffered a concrete injury from the mere existence of an inaccurate credit file that was never published to a third party. The Court determined that publication is necessary for a concrete injury, comparing an unpublished credit report with a defamatory letter that is hidden in a desk drawer instead of mailed.
The Court also rejected the plaintiff’s argument that all class members had standing because they were subjected to a material risk of future harm based on the potential later release of their credit reports. The Court’s prior decision in Spokeo noted that a risk of future harm can sometimes satisfy the concreteness requirement, so long as the risk is sufficiently imminent and substantial.
In Ramirez, the Court took the opportunity to explain that a plaintiff exposed to a risk of future harm may sometimes have standing to pursue injunctive relief to prevent that harm from occurring, but a mere exposure to risk is insufficient to confer standing to seek retrospective damages. Because their credit reports were never published, the Court reversed the finding of standing for the other 6,332 class members on the § 1681e(b) claim.
The Court then addressed whether the class members had standing to pursue what it called the “disclosure claim” (based on the omission of OFAC information from the credit file sent to class members pursuant to § 1681g(a)) and the “summary-of-rights claim” (based on the failure to send another summary of rights with the follow-up mailing that contained the OFAC information). The plaintiff argued that all class members suffered a concrete injury because they were deprived of their right to receive information in the format required by the FCRA, but the Court rejected this argument because there was no evidence that any class member suffered a harm that bore a close relationship with a harm traditionally recognized as providing a basis for a lawsuit in American courts. Indeed, there was no evidence that anyone other than the plaintiff himself even opened the two mailings, much less that anyone acted or failed to act based on the information contained in those mailings.
Although Congress can elevate to legally cognizable the harm associated with the denial of information subject to public disclosure, the Court again cited Casillas and Trichell in pointing out that the FCRA, like the Fair Debt Collection Practices Act, is not a public-disclosure law. The Court then turned to Trichell once more in noting the failure to identify any “downstream consequences” resulting from the defective disclosures: “An ‘asserted informational injury that causes no adverse effects cannot satisfy Article III.’” Therefore, the Court held that none of the class members had standing to pursue damages for the “disclosure claim” or the “summary-of-rights claim.”
Impact on Consumer Litigation
In the wake of Spokeo, the federal circuit and district courts were divided on whether a statutory violation, on its own, was sufficient to confer standing. For example, the Sixth Circuit in Macy v. GC Services Ltd. Partnership, 897 F.3d 747 (6th Cir. 2018), held that an alleged violation of a disclosure provision of the FDCPA was itself enough to confer standing, a holding that was expressly rejected by the Seventh Circuit in Casillas. The Supreme Court’s ruling in Ramirez appears to resolve this split and essentially makes Casillas and Trichell the law of the land. Going forward, plaintiffs who merely allege a technical violation of a consumer-protection statute, with no associated concrete injury, lack standing to pursue that claim in federal court. Also, even if the plaintiff can prove that he suffered a concrete injury as the result of a statutory violation, he will be unable to recover on behalf of a class unless he can also prove that every class member suffered a concrete injury as well. In other words, gone are the days in which a plaintiff could pursue class recovery based solely on the fact that every member of the class received the same allegedly defective letter.
The European Union’s New Standardized Data Transfer Agreement: Implications For Multinational Employers
At long last, the European Commission, on June 4, 2021, adopted new Standard Contractual Clauses (“new SCCs”) to permit lawful transfers of personal data from the European Union (EU) to third countries such as the United States.1 This development is critical for U.S. multinational employers that rely heavily on centralized, web-based platforms for key aspects of global human resources administration, such as recordkeeping, performance evaluation, expense reimbursement, and diversity and inclusion initiatives.
Every U.S. multinational employer that currently relies on the existing Standard Contractual Clauses (“existing SCCs”) will be required to update numerous agreements. These include the existing SCCs used to transfer HR data from EU subsidiaries to members of the corporate group located in the United States and other third countries, as well as the existing SCCs used to legitimize transfers of EU personal data to the many service providers located outside the EU on which U.S. multinational employers typically rely.
The update process potentially will be onerous. The new SCCs introduce new compliance and documentation requirements and increase risk by expressly subjecting the U.S. parent corporation and its non-EU affiliates that receive EU personal data to the jurisdiction of EU data protection regulators and EU courts. Fortunately, the European Commission’s decision provides a grace period until January 1, 2023, and potentially later, to complete the update process.2 Nonetheless, U.S. multinational employers should not push the update process to the back burner for too long as certain aspects of that process will be time consuming and challenging.
What Are The Standard Contractual Clauses And Why Are They Important?
For many multinational employers, Standard Contractual Clauses offer the only practical means of transferring human resources data to countries outside of the EU. The EU’s General Data Protection Regulation3 (“GDPR”) permits the transfer of data related to an identifiable natural person (“personal data”) to countries outside the EU only in limited circumstances. Companies may transfer personal data without restriction to a handful of countries that the European Commission has deemed to provide “adequate” data protection. These “adequate” countries do not include the United States. Otherwise, personal data can be transferred to a third country only in reliance on an approved data transfer mechanism, such as the SCCs, or on certain narrow exceptions (“derogations”) that typically are not a practical solution for U.S. multinational employers.
Standard Contractual Clauses offer multinational employers a relatively efficient means of ensuring adequate protection for data transfers. Approved by the European Commission in the early 2000s, the existing SCCs consist of standard contracts, signed by the party located in the European Union that intends to transfer personal data (the “data exporter”) and by the party located elsewhere that plans to receive that data (the “data importer”), and an annex used to describe the details of the data transfer. Once signed, the existing SCCs impose data protection obligations on the data importer designed to provide protections for the transferred personal data that are essentially equivalent to those provided under EU law.
Why Were New SCCs Needed?
Data exporters and importers around the globe have expected a new version of the Standard Contractual Clauses for at least five years. First, the enactment of the GDPR in 2016 made the existing SCCs outdated. These SCCs were based on the EU Data Protection Directive,4 the data protection legislation that pre-dated the GDPR. The existing SCCs did not address the many changes that the GDPR introduced to EU data protection law.
Second, in July 2020, the Court of Justice of the European Union (“CJEU”) issued a landmark ruling, popularly called “Schrems II”,5 that recognized the adequacy of the protections offered by existing SCCs for transferred EU personal data, but at the same time, emphasized that the receiving country’s laws could unduly undermine those protections.6 The CJEU opined that the parties to the agreement must evaluate whether local law or practices would permit government authorities excessive access to the transferred personal data. If so, the parties would be required to implement “supplemental measures” to ensure a level of protection for personal data essentially equivalent to that provided by the GDPR. Consequently, the new SCCs also were necessary, in part, to bolster the existing SCCs.
What Do The New SCCs Retain From The Existing SCCs?
Like the existing SCCs, the new SCCs can provide a means for companies to transfer personal data out of the EU. Although companies must still assess local laws in the data importer’s country and consider supplemental measures, the new SCCs, like the existing SCCs, provide at least a first step toward complying with the GDPR’s requirement to ensure adequate data protection.
In addition, the structure of the new SCCs will look familiar to those who have used the existing SCCs. Like the existing SCCs, the new SCCs consist first of standard clauses that the parties cannot modify. The standard clauses are followed by annexes that the parties must customize based on the details of the specific data transfer.
Finally, just as with the existing SCCs, the new SCCs can be incorporated into a larger contract, such as a master service agreement. The parties also can supplement the new SCCs with additional terms as long as those additional terms do not conflict with the standard clauses.
What’s New In The New SCCs?
The new SCCs introduced a wide range of additional requirements for data exporters and data importers. This section summarizes just the key changes. The first three subsections below describe changes that will streamline data transfers and the last three cover updates that impose new and onerous obligations.
The new SCCs offer much-needed flexibility to handle data transfer arrangements. The existing SCCs only had versions for controller-to-controller data transfers, such as transfers from EU subsidiaries to a U.S. parent corporation, and controller-to-processor data transfers, e.g., transfers from EU subsidiaries to a U.S.-based performance review platform. In addition to covering these two situations, the new SCCs can be used for processor-to-sub-processor data transfers, i.e., transfers from a service provider to its subcontractors, and for transfers from a processor in the EU to a controller in a third country, for example, when a German payroll administrator for a German subsidiary uploads payroll data directly to the U.S. parent corporation. For companies that had to awkwardly shoehorn data transfers into the existing SCCs, the new options will come as a relief.
In its decision regarding the new SCCs, the European Commission also validated two common practices that have helped multinationals execute SCCs more efficiently. Multinationals often execute one Standard Contractual Clauses agreement among multiple subsidiaries. When subsidiaries join or leave the family of companies, the multinational simply adds or eliminates signatories, rather than formally amends the agreement. The European Commission designed the new SCCs to facilitate both common practices.
The New SCCs Satisfy GDPR, Article 28(3):
The GDPR requires controllers, such as employers, to have their service providers (“data processors”) agree by contract to a set of provisions listed in Article 28(3). Because the existing SCCs pre-dated GDPR, they did not address all of the required clauses, forcing EU subsidiaries to execute with vendors located outside the EU a data processing agreement that satisfied both the Article 28(3) requirements and the existing SCCs. Because the new SCCs post-date GDPR, they address all of the Article 28(3) requirements, thereby eliminating the need for two agreements between EU subsidiaries and non-EU service providers.
Schrems II Compliance:
As noted in the Section above, entitled “Why Were New SCCs Needed?”, the CJEU’s decision in Schrems II requires the parties to the SCCs to implement “supplementary measures” where warranted by an assessment of local law. Supplemental measures will be necessary where local law in the data importer’s country would allow public authorities to gain access to transferred EU personal data in a way that would undermine the SCCs’ protections.
The new SCCs include two provisions that address Schrems II concerns. First, the data importer must (a) warrant that local law does not interfere with its ability to comply with the SCCs, and (b) document its analysis of local law to support this warranty. The data importer must provide this documentation to relevant EU data protection regulators upon request.
Second, the new SCCs effectively require data importers to litigate government demands for production of transferred EU personal data through an appeal. Data importers also must notify, where legally permitted, the data exporter and, where feasible, the EU data subjects of the request by the government for personal data.
New Documentation Requirements:
The new SCCs explicitly provide that the data importer “shall be able to demonstrate compliance with its obligations under these Clauses.” As noted in the preceding subsection on “Schrems II Compliance,” the new SCCs also impose on the data importer an obligation to provide documentation of compliance to the competent supervisory authority upon request.
More Detailed Annexes:
The annexes to the new SCCs require far more detail than required under the existing SCCs. For example, the new SCCs require inclusion of retention periods for transferred EU personal data, an identification of additional protection for sensitive personal data, and a detailed description of the technical and administrative safeguards the data importer implements for transferred EU personal data. Due to the wide variety of human resources data that a multinational employer may transfer to a centralized human resources database in the U.S. and the extent of sensitive personal data, these requirements will lead to considerably more time needed to draft annexes.
Greater Enforcement Risk For Data Importers:
Finally, several provisions in the new SCCs increase the risk to U.S. parent corporations of regulatory scrutiny in relation to transfers of EU employees’ personal data. Unlike the existing SCCs, the new SCCs emphasize that data importers are subject to the jurisdiction of EU supervisory authorities, and that EU residents may submit complaints against data importers to EU supervisory authorities and EU courts. Notably, the new SCCs require data importers to report data breaches directly to EU supervisory authorities, and several provisions require the production of compliance documentation upon request. A reported data breach will run the risk of a comprehensive review of the data importer’s documentation related to its data transfers.
These changes likely will come as an unwelcome shock to U.S. parent corporations that are not directly subject to the GDPR. In essence, the new SCCs carry GDPR-like risks and liability across the EU’s borders to data importers in the U.S. and other third countries.
What Should U.S. Multinational Employers Do Now?
Although U.S. multinational employers have more than 18 months to migrate to the new SCCs, they should not wait until late 2022 to start the process. Completing the annexes of the SCCs alone will take substantial time. The new SCCs also require dramatically enhanced safeguards and notice, reporting, and recording obligations. In addition, U.S. companies should bear in mind that the California Privacy Rights Act and Virginia Consumer Data Protection Act go into effect on January 1, 2023, which may also end up marking the end of the grace period for implementing the new SCCs. At many companies, this convergence of major new compliance obligations may lead to overwhelmed privacy and compliance departments by late 2022.
Over the next year, U.S. multinational employers should consider taking at least the following steps:
- Map Data Transfers: U.S. multinational employers should map all data transfers from their EU subsidiaries to gather the information needed to identify all existing SCCs that will need to be updated and to complete the new SCCs’ more detailed annexes.
- Conduct Schrems II Assessment of Local Law: The new SCCs effectively require the parties to conduct and document a detailed assessment of whether the laws and practices of the destination country prevent the data importer from fulfilling its obligations under the new SCCs’ standard clauses.
- Implement New Internal Policies and Procedures: The new SCCs impose numerous obligations on data importers, such as responding to requests from individuals to exercise their GDPR rights, purging personal data that no longer is needed for the purposes for which it was transferred, and litigating government requests to access transferred EU personal data. U.S. multinational employers likely will need to modify existing policies or implement new policies to fulfill these new obligations.
- Update Data Processing Notices: To address the new SCCs’ requirement that the parties provide more robust information to data subjects about cross-border data transfers, data processing notices provided to job applicants, employees, and others will need to be revised to include additional information about cross-border data transfers.
- Safeguards for Transferred Personal Data: Data importers must implement detailed technical and administrative safeguards for transferred EU personal data.
European Commission Publishes Final Standard Contractual Clauses
Seven months after the European Commission published its draft new Standard Contractual Clauses for data transfers between EU and non-EU countries (the “Draft SCCs”) for consultation (see our blog post here (the “Draft SCCs Blog”)), they have now published a finalized set of Standard Contractual Clauses (“Final SCCs”) with little fanfare (available here).
It should also be noted that alongside the Final SCCs, the European Commission have published a finalized set of non-mandatory Article 28 clauses for use between controllers and processors in the EU (see our blog post here on the draft version) in relation to which we will be publishing a follow-up shortly.
It will be mandatory, however, for organizations to implement and comply with the Final SCCs and in this blog post we consider the movement from the Draft SCCs to the Final SCCs (as well as the key points raised by them), the practical impact that this will have on organizations and the UK’s position.
- The Draft SCCs and the Final SCCs – In comparison to the Draft SCCs, the Final SCCs provide some cause for hope, in particular an extended grace period of 18 months, a 3-month window during which organizations may continue to put in place the current SCCs to address international transfers of personal data, and the softening of some provisions such as the approach to challenging public authority access. However, other aspects of the Final SCCs may cause increased friction, notably a more nebulous approach to the warranty regarding impact assessments.
- Practical Considerations from the Final SCCs – The Final SCCs serve to confirm that a repapering exercise is looming for most organizations and that a re-evaluation of current agreements, training, and contracting support will be required so as to have in place mechanisms to implement agreements with appropriate iterations of the Final SCCs on an ongoing basis. Beyond this, more granular considerations including the interplay of the Final SCCs with negotiated clauses will require some more careful, context-specific scrutiny.
- The UK’s Way Forward – The current SCCs will continue to apply for transfers of data from the UK to third countries while the ICO prepares a set of its own standard contractual clauses, independent of the Final SCCs. The extent to which these deviate will inform how much more complex putting in place and maintaining the necessary contractual provisions will be for organizations, particularly those with multifaceted data flows between the UK, EU and third countries.
Please refer to the Draft SCCs Blog for more detailed background, but by way of summary, the GDPR prohibits the transfer of personal data from the EEA to a third country or international organization outside of the EEA unless an available condition under the GDPR is satisfied.
One of these conditions is the use of Standard Contractual Clauses (“SCCs“) which are effectively a contract ‘pre-approved’ by the European Commission to be entered into between the data exporter and the data importer and which impose certain data protection obligations on both parties. However, the current SCCs had some issues including the fact that they were not updated when the GDPR came into force (referencing the old EU Data Protection Directive rather than GDPR) and there were only two sets of SCCs (covering transfers from one controller to another controller (“C2C“) or from a controller to a processor (“C2P“) which meant that they did not cover situations such as processor to processor (“P2P“) or processor to controller (“P2C“) transfers).
The Draft SCCs looked to address these issues, as well as the impact of the Schrems II decision (see our blog post on the Schrems II case here). The Schrems II judgment made it clear that where SCCs are being used, a level of due diligence needs to take place before any transfer can be made. This is to ensure that personal data originating in the EEA always carries with it protections which are essentially equivalent to those in the EEA. In parallel, to help data exporters in that assessment, on 10 November 2020 the EDPB issued draft guidance on how to carry out the due diligence exercise in practice (see our blog post on the draft guidance here). We are imminently expecting the finalized EDPB guidance on these supplementary measures, potentially as early as next week if the authorities are able to agree them during this month’s plenary meeting on 15 June 2021.
Following a period of consultation and some delay to finalization, the European Commission published the Final SCCs in final working documents on 4th June with publication in the Official Journal expected swiftly.
The Draft SCCs and the Final SCCs
The Final SCCs broadly adopt the same approach as the Draft SCCs, although there is some deviation both to soften provisions and provide more flexibility to organizations than originally envisioned by the Draft SCCs, although in some instances the approach has been toughened. We detail the material deviations and summarize the changes from the Draft SCCs below.
Extended Grace Period and Limited Grandfathering Period
The Draft SCCs contemplated a one-year grace period within which organizations had to ensure compliance and the Final SCCs have both extended this period and made it more nuanced by introducing a limited grandfathering period during which organizations may continue to implement the current SCCs. From the date of publication in the Official Journal (plus 20 days), organizations will now:
- have 3 months to continue to put in place the current SCCs; and
- have 15 months from the end of the 3-month period within which they must implement the Final SCCs and can continue to rely on the current SCCs (provided there is no change to the processing activities during this time and any necessary supplemental measures are in place).
While the extended grace period is positive in the context of the EU-U.S. Privacy Shield being immediately invalidated as a result of the Schrems II decision and thereby requiring instant contractual and organizational remediation, the result of the Final SCCs is that organizations will still be required to re-paper their existing contracts in the medium term (by likely December 2022) and put in place mechanisms to begin incorporating the Final SCCs into new agreements in the short term (likely starting from June 2021 but by no later than September 2021) (see ‘practical considerations’ section below).
Modular Structure and Scope
The Final SCCs have retained the modular format allowing for adaptation to different factual scenarios covering both C2C and C2P transfers already provided for under the current SCCs. They now also cater for P2P and P2C situations which were not provided for and enable other parties to ‘dock’ into the Final SCCs (of particular importance where sub-processors are introduced to a pre-existing arrangement).
Additionally the set of processor clauses required by Article 28 GDPR remains incorporated into the Final SCCs, continuing not as a separate module and explicitly prevailing over any conflicting provisions.
While elements of the modules have been somewhat rearranged, materially they provide the same flexibility, but also issues, as discussed in the ‘structure’ and ‘scope’ sections of the Draft SCCs Blog.
The requirement for data importers who are controllers to notify a competent EU supervisory authority (discussed in the ‘extraterritoriality’ section of the Draft SCCs Blog) remains but rather than the threshold being a ‘significant adverse effect’, this has been lowered to ‘a risk to the rights and freedoms of natural persons’ (with an attendant notification obligation to data subjects where there is a ‘high risk’). This aligns with the thresholds in the GDPR, but arguably makes notification a more likely requirement for importers.
Additionally, the approach of the Final SCCs imposes on data importers requirements that will be familiar to those already subject to the GDPR, such as obligations of transparency, security, limits to the purpose of processing, complying with data subject rights amongst others. In binding importers to obligations similar in nature to the requirements of the GDPR, the Final SCCs can be seen as further step in extending the reach of GDPR.
Like the Draft SCCs, the Final SCCs to include provisions which address the challenges of the Schrems II case (discussed in the ‘Schrems’ section of the Draft SCCs Blog) with only minor changes made to the Final SCCs in this regard.
Perhaps most notably, however, the warranty that the parties are required to provide that they have no reason to believe that the ‘laws’ of the importer country prevent the importer from fulfilling its obligations under the Final SCCs, has been expanded to make reference to ‘laws and practices’. The Final SCCs contain a footnote which provides some examples of the elements which may be considered as part of this impact assessment, but this more nebulous phrasing further emphasizes the difficultly organizations are likely to have in being able to confidently undertake and document such an assessment and warrant such a claim.
One position that has been softened from the Draft SCCs is that the requirement on importers to exhaust all available legal remedies when challenging a public authority access request has been amended to grant the importer a degree of discretion in circumstances when it believes that there are ‘reasonable grounds to consider that the request is unlawful…’ and so challenge it. This caveat (underlining added) gives importers some leeway in approaching such requests.
The more detailed liability provisions set out in the Draft SCCs remain in the Final SCCs, as does the uncapped liability position. Given the precedence taken by the Final SCCs over any other terms in an agreement to which the Final SCCs are attached, it would have been helpful if the European Commission had provided some clarity in relation to these points. Unfortunately, however, it is still unclear as to how both the detailed liability provisions and uncapped liability position set out in the Final SCCs are supposed to align with any pre-existing liability provisions set out in an agreement to which the Final SCCs are attached, especially if such pre-existing liability provisions include a cap on data protection liability, as they often do.
Absent further guidance, It would appear that attempts to limit or exclude liability would conflict with, and then be subordinate to, the approach taken by the Final SCCs.
Practical Considerations From the Final SCCs
Despite the positive and negative changes brought about by the Final SCCs, they do at least provide some clarity for organizations regarding what next steps they should take and what thinking should be done:
While there is a limited 3-month period within which organizations can continue to put the current SCCs in place, they will only be able to be rely on them for a further 15 months from the end of that 3-month window. As such, where the contractual arrangements for an in-flight project are likely to last beyond December 2022, it may make most sense for organizations to consider and implement the Final SCCs during this window.
For contracts with a duration likely to end before this window ends, or which will come up for renewal, then in the interests of expediency it would perhaps be preferable to implement the current SCCs at this stage and begin implementing and, where necessary, repapering the Final SCCs over the subsequent 15 months whereupon further guidance is likely to have been published and the market is more likely to have adopted a more settled approach.
Repapering and Expertise
As noted in the ‘repapering (again)’ section of the Draft SCCs Blog, the Final SCCs confirm that a further, more complex repapering exercise is required.
As well as requiring organizations to analyze the perhaps thousands of contractual arrangements in place to determine the data flows and relationships between parties to replace them with the appropriate combination of Final SCC modules, organizations will also need to ensure that they have in place the appropriate expertise, support, and training to be able to begin putting in place the appropriate combinations by the end of the 3-month grandfathering period.
The earlier organizations begin to engage with the approach taken by the Final SCCs and put in place mechanisms sufficient to prepare and implement combinations of modular Final SCCs, the easier the transition will be.
Final SCCs and Negotiated Clauses
As well as the repapering exercise (which will not be a ‘rip and replace’ exercise of the current SCCs to the Final SCCs), at a more granular level organizations will also need to consider the interplay between the Final SCCs and negotiated operative clauses in the main body of agreements incorporating the Final SCCs. For example:
- Operative provisions which refer out to the Final SCCs will need to be appropriately tailored to ensure that there is no conflict in multifaceted relationships (e.g. where various parties may be acting as controllers, processors, and sub-processors in relation to different data as part of the same arrangement) to enable the operative provisions and relevant modules to align.
- The Final SCCs contain embedded Article 28 provisions and so, where negotiated and bespoke operative Article 28 provisions are in place, ensuring alignment between them so as not to produce a conflict resulting in the inapplicability of tailored positions will be necessary to preserve commercial certainty.
- Contradictions may also arise for which straightforward resolution may not be possible, such as the apparent conflict between uncapped liability under the Final SCCs and commonly capped negotiated positions, or where a tailored Article 28 provision cannot be aligned with those in the Final SCCs.
- The imposition of obligations on importers will also mean that they may seek more protection from operative contractual clauses, for example the importer’s transparency obligation will likely necessitate the inclusion of operative provisions to detail the responsibility between the parties of discharging such obligations (i.e. certainty of the provision of information).
- The European Commission’s decision to address P2P transfers in the Final SCCs will finally allow parties to simplify the operative clauses that controllers enter into with processors that engage subprocessors based outside of the EU. The absence of any P2P mechanism in the current SCCs has long required parties to shoehorn in the C2P clauses to address transfers between processors and subprocessors, often to unsatisfactory effect given that there is usually an absence of direct contractual nexus between controller and subprocessor. The new P2P module should serve to simplify and speed up the drafting and negotiation of these operative provisions going forward.
Where contracts are remediated, or standard template agreements will be updated, a careful approach will need to be taken to ensure regulatory compliance while also achieving an appropriate balance of commercial risk, depending on the particular factual matrix.
The Data Importer’s Position
Where a data importer contracts with an exporter on the basis of the Final SCCs, the fact that the Final SCCs impose a range of substantive obligations on importers (see ‘extraterritoriality’ section above) will require importers to take considerable care to determine whether they do in fact have the technical, organizational, and contractual means to satisfy the various obligations placed upon them.
The potential risks of litigation and cost of simply signing and doing what has always been done have never been higher.
The UK’s Way Forward
The ICO has stated that it has been drafting its own standard contractual clauses during the course of 2021 (with a period of consultation also expected) (the “UK SCCs“), in a process distinct from the Final SCCs. It will be interesting to see the extent to which, if at all, the UK SCCs leverage the positions in the current SCCs, Draft SCCs, and Final SCCs, or whether a completely novel route is taken.
While some mood music suggests that the UK will pursue a more relaxed, business-minded approach to data (and so the UK SCCs can perhaps be expected to impose less stringent requirements on organizations), such an approach will need to be carefully balanced against the UK’s position on data vis-à-vis the EU, in particular to ensure the UK SCCs are seen as sufficiently protective if the UK is to benefit from an adequacy decision from the EU.
In addition, the ICO has also previously emphasized that international data transfers would need to account for the impact of the Schrems II decision and in their response to the UK’s National Data Strategy highlighted the importance of building on the rights, principals, and protections of data which are currently in place. Therefore a novel approach or substantial deviation from the EU’s approach (be that the current SCCs or Final SCCs) may be unlikely.
From a practical perspective, the Final SCCs will not be available for use for transfers from the UK to third countries and so, absent the UK SCCs, the current SCCs will continue to be required. Furthermore, for organizations with data flows between the EU, UK and third countries, the implementation of a further set of standard contractual clauses which may deviate from or potentially conflict with the Final SCCs would be a headache that they could do without, with further repapering and more complex contractual arrangements to introduce and align the Final SCCs with UK SCCs potentially required.
The UK’s approach will therefore be important to monitor over the coming months and until such time as UK SCCs are brought into force, the current SCCs continue to remain relevant.
The publication of the Final SCCs provides organizations with a long-awaited update to the current SCCs and, for better or worse, provides clarity in relation to the steps and considerations that organizations will need to take if they are to continue making international transfers of personal data, as well as time (by way of the grace period and limited grandfathering period) to take these steps.
Most organizations will have been through this process before and, while it may be slightly more complex in execution, the principles of previous repapering exercises, as well as more developed processes regarding records of processing, data audits, and data mapping in the years since the GDPR came into force, should provide organizations with many of the tools needed to adopt and implement the Final SCCs (although for importers that are not used to the GDPR, the increased GDPR rigor of the Final SCCs may make this more challenging).
The most important step for organizations will be to understand the new modular approach to the Final SCCs, the most material departure from the current SCCs, as organizations will need to start the process of implementing the Final SCCs in 3 months’ time. Organizations that have template agreements and processes in place which include data protection provisions incorporating the current SCCs will also need to update these template agreements and processes and provide appropriate training to those tasked with maintaining these arrangements. In the longer term, repapering will be flavor of the month once more.
Brazilian Data Protection Authority Publishes Guidelines For Controllers, Processors And DPOs
On May 28, the Brazilian Data Protection Authority (ANPD) published the “Guidelines for Definitions of Data Processing Agents and Data Protection Officer”, establishing non-binding guidelines for processing agents, clarifying the roles of controllers, processors and DPOs, as well as legal definitions and liability issues.
In general, the ANPD has rightly based several of its instructions on guidelines already established by the European Data Protection Board, which is not surprising, since the Brazilian law was heavily inspired by the GDPR.
Notwithstanding the distinctive concept between controller and processor already established by the Brazilian Data Protection Regulation (“LGPD”), namely the controller’s decision-making power, the Guide elucidates that it is not necessary for all decisions to be made by the controller, but only that he keeps his influence and control over the main decisions, i.e., those related to the essential elements for the fulfillment of the process’ purpose.
The Guide also addresses the concept of joint controllership of personal data, which did not come openly defined in the LGPD. Inspired by the GDPR, there will be joint controllership when two or more entities have a common, convergent or complementary intention about the purposes and means of processing and make decisions together. Even if the same personal data set is process, there will be no joint controllership if the processing objectives are different.
As for the processors’ role, the Guide reiterates the law by stating that they may act strictly within the limits of the purposes determined by the controller, and also highlights the importance of contracts governing the relationship between controller and processor.
Another explored aspect was the concept of sub-processors, being defined by the entity hired by the processor to assist it in performing the processing of personal data on behalf of the controller. It is recommended to obtain prior authorization from the controller for the operator to hire a third party, since the operator’s relationship with the controller is based on trust, and also because its activities (in this case, hiring a sub-operator) must comply with the controller’s instructions.
Finally, the Guide addresses the role of the DPO, who is responsible for ensuring an organization’s compliance to the LGPD. Considering that the ANPD is still in public consultation about the appointment exemptions for certain categories of controllers, it has not addressed this issue in the Guide. On the other hand, the authority clarified the legitimacy of some practices already adopted by Brazilian companies in their compliance projects: the possibility of appointing an employee or agent from outside the organization, the importance of support and integration with other areas of the company, and the appointment formalization by internal act.
In addition, the ANPD recommends that independence is given to the DPO and that the individual’s qualifications will depend on the needs and circumstances of the organization itself.
The Guide’s publication demonstrates the active role of the ANPD. In addition to such document, last week the ANPD also opened registrations for experts to participate in its technical meetings on the preparation of impact assessment reports and submitted for public consultation the draft resolution that provides for the inspection and enforcement of sanctions by the ANPD.
Panama Regulates Data Protection Law
Law No. 81 of March 26, 2019, which entered into force on March 29, has finally been regulated since May 28, through Executive Decree 285, establishing tangible guidelines for compliance with the principles, rights, obligations and procedures for a real protection to the handling of private, personal, confidential or sensitive data.
The regulation imposes specific obligations on the person in charge / custodian of the database, among the most relevant are: (i) having protocols, (ii) appointing a Compliance Officer, (iii) traceability of consents and register of all persons authorized to access the database, (iv) minimum acceptable when requesting information; (v) deadlines for responding to the data holders; (vi) 72-hour period to notify access/misuse of the database (hacking) and (vii) joint liability of the participants in the chain of processing of personal data.
It also defines the category of biological, genetic and data profiling; the powers of the regulator are also recognized; the power to carry out on-site inspections of those responsible/custodians; the imposition of sanctions according to the seriousness, proportionality, intentionality, benefit, and billing affected by the fault; as well as the statute of limitation for penalties imposed.
This regulation determines that all companies, regardless of their country of origin or activity, must comply with the law if they collect, store, use or manage any type of data from persons who are in Panamanian territory; except those activities regulated by special laws, as long as they comply with the standards for the correct protection and processing of data. From now on, companies will have to show their conditions to collect data in a simple and easily accessible way, using clear language and always informing about each purpose for the data processing.
High Court Rejects Procedural Challenge Against DPC’s Inquiry Into EU-U.S. Data Transfers
The High Court, in a 197-page judgment, has dismissed a legal challenge against a decision by the Data Protection Commission (DPC) to commence an “own volition” inquiry into the applicant’s data transfers to its parent company in the US, and to issue a preliminary draft decision (PDD) proposing to suspend such transfers.
The applicant brought judicial review proceedings against the DPC, alleging that the inquiry and PDD were unlawful on a number of procedural grounds. In particular, the applicant claimed that the DPC had breached its legitimate expectation that the DPC would follow the statutory inquiry procedure set out in its Annual Report for 2018, on its website, and that it had adopted in other inquiries. The applicant also claimed the DPC had breached its right to fair procedures by failing to conduct an investigation/inquiry before reaching a decision. The High Court rejected all of the applicant’s grounds of challenge, finding that the DPC’s decision to commence an inquiry and issue the PDD, along with the associated procedural steps, were lawful.
The proceedings concerned the procedural rights and obligations of the parties in the context of the DPC’s inquiry following Schrems II, rather than the merits of the DPC’s preliminary views in the PDD.
Following the Schrems II decision (see our previous update), the DPC informed the applicant that it considered it appropriate to commence a new own volition inquiry under section 110 of the Data Protection Act (DPA 2018), and Article 60 of the GDPR. The inquiry would examine whether the applicant’s transfers of personal data relating to EU/EEA users are lawful, and whether any corrective power should be exercised by the DPC. The DPC issued a PDD, which stated that, it was the DPC’s preliminary view, that the applicant is infringing Article 46(1) of the GDPR and proposed suspending its data transfers to the US.
The DPC’s reasoning for the proposed suspension was that the SCCs (which are used by the applicant to transfer data to the US) cannot compensate for the inadequate protection provided by U.S. law, and the applicant did not appear to have implemented supplementary measures. The DPC proposed a suspension rather than a “ban” on the data transfers, on the basis that the applicant might later be able to adopt measures to address the deficiencies identified in the PDD. It gave the applicant 21 days to make submissions on the PDD.
Judicial Review Proceedings
The applicant issued judicial review proceedings against the DPC, seeking to quash the DPC’s decision to commence an “own volition” inquiry, issue the PDD, and adopt the procedures it had adopted. It argued that the DPC’s decision and procedures were unlawful on several grounds including:
- Alleged failure to conduct an investigation/inquiry before issuing the PDD;
- Alleged departure from published statutory inquiry procedures / breach of legitimate expectation;
- Alleged breach of fair procedures: 21-day period for submissions on the PDD
- Alleged breach of fair procedures: premature judgment;
- Alleged breach of fair procedures: involvement of Ms. Dixon at investigation and decision-making stage;
- Alleged failure to await publication of EDPB Guidance on the “supplementary measures”;
- Alleged breach of right to equality and non-discrimination (Inquiry into the applicant’s data transfers only);
- Inadequate reasons for issuing the PDD.
High Court Decision
The High Court held that of the DPC to commence the inquiry and issue the PDD, as well as the procedures it adopted for the purpose of its inquiry, were amenable to judicial review. Judge Barniville stated that in order to challenge the DPC’s “decision-making process”, the applicant had to be entitled to challenge the PDD itself, as the PDD not only commenced the inquiry but also set out the process which would ultimately lead to the “draft decision” being submitted by the DPC to the Article 60 procedure.
However, the court rejected each of the grounds of challenge advanced by the applicant. We have summarized the court’s conclusions below, in respect of each of the grounds of challenge.
1. Alleged failure by DPC to conduct an investigation/inquiry before reaching a decision
The applicant contended that the DPC acted in breach of its powers under section 110 of the DPA 2018, the GDPR, and the CJEU’s judgment in Schrems II, by failing to conduct an investigation or inquiry prior to issuing the PDD. It was alleged that the steps taken by the DPC prior to issuing the PDD were insufficient and that the PDD was factually incorrect. For example, the DPC stated in the PDD that the applicant had never sought to invoke any of the derogations in Article 26(1) of the Directive (the predecessor to Article 49 of the GDPR). However, the applicant submitted that the DPC knew that it was relying on such derogations. It referred to its submissions to the DPC dated 22 January 2016 (post-Schrems I), in which it had identified three legal bases for its data transfers to the US, including: (i) the SCCs; (ii) the data subject consent derogation under Article 26(1)(a) of the Data Protection Directive (predecessor to the Article 49(1)(a) of the GDPR), and (iii) the contractual necessity derogation under Article 26(1)(b) of the Data Protection Directive (predecessor to Article 49(1)(b) of the GDPR).
The court did not accept that the DPC acted in breach of the DPA 2018, GDPR, or the Schrems II decision, in terms of the investigation or inquiry to be conducted prior to issuing the PDD. Judge Barniville concluded that the DPC has a wide discretion in terms of the nature and extent of its statutory inquiries. Section 110 of the DPA 2018 expressly entitles the DPC to “cause such inquiry as it thinks fit to be conducted”. Furthermore, section 12(8) of the DPA 2018 makes it clear that, the DPC is entitled to “regulate its own procedures”. The court was satisfied that the DPC was in possession of “a vast amount of information” in light of the events since Mr. Schrems’ original complaint in 2013, and that the DPC had carried out some further investigation before deciding to commence the new inquiry.
The court rejected the applicant’s contention that the PDD amounts to a “decision” on infringement and corrective power under section 111 of the DPA 2018, or the “draft decision” for submission to the Article 60 procedure. Judge Barniville stated that it was open and remains open to the applicant to make full submissions on the facts and law in relation to all the matters raised in the PDD and on any other matters it feels are relevant.
2. Alleged departure by DPC from published procedures/breach of legitimate expectation
The applicant contended that it had a legitimate expectation that the DPC would follow the statutory inquiry procedure set out in its Annual Report for May-December 2018; on the DPC’s website; and that it had adopted in other inquiries.
The court found that it was clear from the express terms of the 2018 Annual Report that the inquiry process set out therein was not binding on the DPC. The Report expressly stated that the 12-step process for statutory inquiries described therein was “illustrative only”; “not determinative of the precise steps which will be followed in each inquiry”; and “subject to change”. The court therefore rejected the applicant’s submission that it had a “legitimate expectation” that the DPC would follow the statutory inquiry procedure set out in its 2018 Annual Report and on its website.
The court also rejected the applicant’s contention there was a course of conduct or regular practice by the DPC of adopting such procedures in statutory inquiries prior to the present inquiry. In Judge Barniville’s view, it was doubtful that the relatively limited number of previous statutory inquiries was sufficient to constitute the sort of established procedure or regular practice which could give rise to a legitimate expectation that that practice would be followed in all cases. The Deputy DPC, Colm Walsh, stated that, as of December 2020, the DPC had commenced 27 cross-border inquiries, and 21 of those inquiries had been progressed using a procedure “broadly reflective of the illustrative process” set out in the 2018 Annual Report. However, he noted that the DPC had begun “a process of revising its procedures generally”, and “that review was ongoing“, and in recent inquiries, the DPC had departed from the illustrative procedure in the 2018 Annual Report.
The court concluded that even if it was satisfied that the applicant had established a legitimate expectation, based on published procedures and/or the practice followed by the DPC in other inquiries, it would be open to the DPC to depart from those procedures, provided that in doing so it complied with fair procedures. Ultimately, Judge Barniville said that the question was whether to depart from the published procedures or practice would be unfair or unjust to those affected. The court did not believe that it would be unfair or unjust for the DPC to depart from the published procedures for the purposes of the present inquiry.
3. Alleged breach of fair procedures: 21-day period to make submissions on the PDD
The applicant contended that the DPC had failed to comply with its obligation to provide fair procedures, by affording it an inadequate time-period (namely 21 days) to make submissions in response to the PDD.
The court agreed with the DPC that the precise content and extent of the fair procedures, including the right to be heard, depends on the particular circumstances and context of the process at issue. In considering an allegation of a breach of fair procedures in the course of a statutory process, the court held it is necessary to look at the entirety of the procedure and to consider the process as a whole. The court concluded that, in the particular circumstances of the present inquiry, that the 21-day period for submissions was adequate and did not amount to a breach fair procedures under Irish law, EU law or the GDPR.
4. Alleged breach of fair procedures: Premature judgment
The applicant asserted that this was a clear case of objective bias and premature judgment by the DPC. It was alleged that the DPC’s process started with a “decision” before the applicant was even aware that the process had commenced.
The court stated that the cases on pre-judgment or premature judgment all stress the importance of the language used by the decision-maker and the stage of the process at which the premature judgment is said to arise. In Judge Barniville’s view, it was clear that the PDD was not a final decision or “draft decision” for the purposes of the Article 60 process, as the views expressed by the DPC in the PDD were invariably qualified by the word “preliminary“. He concluded that, reading the PDD in its entirety, it was sufficiently clear that it was open to the applicant to make submissions to the effect that the DPC was wrong in relation to the views it expressed in the PDD. Judge Barniville therefore rejected this ground of challenge.
5. Alleged breach of fair procedures: Involvement of Data Protection Commissioner at investigation and decision-making stage
The applicant contended that the involvement of Ms. Dixon, at all stages of the inquiry process, in particular in both the investigative and decision-making stages was in breach of its right to fair procedures.
The court rejected this contention. Judge Barniville stated that there is no general principle that the same person cannot be involved at different stages of an inquiry process. However, he acknowledged that “there are undoubtedly some cases in which it is inappropriate and would be a breach of fair procedures for one person to be involved at all stages of a particular inquiry or adjudicative process”. It will very much be fact dependent. In this case, he concluded that it was entirely reasonable, given the history of the issues concerning EU-U.S. data transfers, that Ms. Dixon would be involved in the investigative and decision-making stages of the inquiry.
6. Failure to await EDPB Guidance and/or take timing of EDPB Guidance into account
The applicant contended that the DPC acted unlawfully in commencing the present inquiry in circumstances before the EDPB had published its guidance on measures that data exporters could implement to supplement the SCCs. In the alternative, the applicant argued that in commencing the inquiry, the DPC had failed to take into account a relevant consideration, namely the anticipated EDPB guidance on supplementary measures.
The court concluded that the DPC was not obliged to await publication of EDPB guidance before commencing its inquiry. In addition, the court rejected the applicant’s contention that the DPC had failed to take into account, as a relevant consideration, in its decision to commence with the inquiry, the fact that the EDPB would be issuing guidance on supplementary measures following the Schrems II judgment. However, Judge Barniville noted that the position might have been different if publication of the EDPB’s guidance was “imminent” when the DPC issued the PDD.
The court noted that Article 52(1) of the GDPR provides that “each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with [the GDPR]”. Furthermore, Article 52(2) of the GDPR requires supervisory authorities to “remain free from external influence, whether direct or indirect” and “[to] neither seek nor take instructions from anybody”. In the court’s view, an obligation to await EDPB guidance before proceeding to exercise powers under the GDPR (or under the DPA 2018) would be inconsistent with the independence of the DPC under the GDPR, and with the non-binding nature of the guidance which the EDPB is empowered to issue under Article 70(1)(e) of the GDPR. It would also be inconsistent with the obligations imposed on the DPC to act within a reasonable time-frame, and with due diligence.
7. Alleged Discrimination / Breach of right to equality (Inquiry into the applicant’s data transfers only)
The applicant pleaded that it was a breach of its rights to equality and non-discrimination for the DPC to commence an inquiry into its data transfers, but not into other entities’ transfers.
The court did not accept that the DPC was in breach of the applicant’s rights to equality and non-discrimination. In its view, the DPC was entitled to commence and proceed with the inquiry in respect of the applicant’s data transfers without having to carry out inquiries into other entities involved in similar transfers. Jude Barniville stated that a regulator, like the DPC, must be able to prioritize its enforcement actions unless the law provides otherwise, which in this case, it does not. In addition, the DPC did not have any legal obligation to explain why it had not commenced an own-volition inquiry against other entities who were using the SCCs for EU-U.S. data transfers. Judge Barniville acknowledged that the DPC does have an obligation to explain why it has decided to proceed against a particular entity, but it was obvious from the content of the PDD and surrounding circumstances why the DPC had chosen to proceed with an inquiry into the applicant’s data transfers.
8. Adequacy of DPC’s reasons
This ground of challenge overlapped with other grounds. The applicant sought a declaration that the DPC did not provide sufficient reasons for its commencement of the own volition inquiry, the PDD, and the inquiry process. The court was not satisfied that there was any deficiency in terms of the reasoning given by the DPC for its decision to commence the inquiry and take the various procedural steps and decisions it took.
The DPC will now resume its inquiry into the applicant’s data transfers to the US. The DPC has given the applicant six weeks to make submissions in response to the PDD. The DPC will then finalize and circulate its draft decision to the other Concerned Supervisory Authorities (CSAs) under the Article 60 GDPR procedure (i.e. the-one-stop-shop mechanism) for their opinion. If the CSAs agree with the DPC’s draft decision, the applicant could be forced to suspend its data transfers about EU/EEA users to its parent company in the US. In parallel with its statutory inquiry, the DPC will advance its handling of Mr. Schrems’ original complaint under sections 109 and 113 of the DPA 2018.
Ontario Mandates COVID-19 Vaccination Policies For Long-Term Care Homes
Starting next month, all Ontario long-term care homes will be required to implement COVID-19 vaccination policies for their staff, students and volunteers. This Directive, announced yesterday by the Ministry of Long-Term Care, was issued pursuant to section 174.1 of the Long-Term Care Homes Act, 2007, which authorizes the Minister to issue operational or policy directives respecting long-term care homes where it is in the public interest to do so.
The Directive aims to set out a provincially consistent approach to COVID-19 immunization policies in long-term care homes, optimize COVID-19 immunization rates in long-term care homes, and ensure that individuals have access to information required to make informed decisions about COVID-19 vaccination.
According to the Directive, COVID-19 vaccination policies must apply to all staff, student placements, and volunteers in long-term care homes, regardless of the frequency or duration of their attendance in a home. These individuals will have up to 30 days from the effective date of the Directive (i.e. until July 31, 2021), or from the first day they begin attending at the home, to meet the applicable policy requirements, subject to reasonable extension due to unforeseen or extenuating circumstances.
At a minimum, the policy requirements include that each long-term care home staff member, student and volunteer do one of the following:
- Provide proof of vaccination of each dose;
- Provide written proof from either a physician or nurse practitioner of a medical reason that prevents the person from being vaccinated against COVID-19 and the effective time period for the medical reason; or
- Participate in an educational program approved by the licensee of the long-term care home that, at a minimum, addresses how COVID-19 vaccines work, vaccine safety related to the development of the COVID-19 vaccines, the benefits of vaccination against COVID-19, risks of not being vaccinated against COVID-19 and possible side effects of COVID-19 vaccination.
Licensees of long-term care homes must have a process in place for following-up with individuals who have not yet received a second dose, or upon the expiry of the effective time period of a medical reason provided by the individual’s health practitioner.
A home’s COVID-19 vaccination policy must clearly set out the consequences for individuals who fail to comply with the policy, and such consequences must be in accordance with the licensee’s human resources policies, collective agreements, and any applicable legislation, directives, and policies.
Further, a licensee of long-term care home must ensure that their COVID-19 vaccination policy is communicated to all staff, student placements and volunteers, and that a copy of the policy—either in hardcopy or electronic format—is made available to residents and their substitute-decision makers free of charge.
Long-term care home licensees will also be required to track and report (at least monthly) to the Ministry on the implementation of their policies, including overall staff immunization rates. However, the immunization status of individual staff members will not be shared with the province.
Public health measures including active screening, masking, physical distancing and hand hygiene will continue to be required of all staff, students, volunteers, residents and visitors, in addition to mandatory COVID-19 vaccination policies.
Long-term care homes must have their COVID-19 vaccination policies fully implemented by July 1, 2021. The Province has promised to help homes establish their COVID-19 vaccination policies by identifying resources which can be utilized to inform individuals about the benefits of vaccination. Currently, Ontario has made a free COVID-19 Vaccine Promotion Toolkit publicly available.
When creating and implementing COVID-19 vaccination policies, long-term care homes will need to give proper consideration to the following:
- their obligations to accommodate employees under the Human Rights Code. Under the Code, employers have a duty to accommodate employees who may be unable to receive a COVID-19 vaccine, for reasons related to disability, pregnancy or creed, unless it would amount to undue hardship based on cost or health and safety;
- employee entitlements to up to three paid sick days under the Employment Standards Act, 2000, and any contractual entitlements to paid sick leave, related to getting vaccinated and recovery from any associated side effects;
- privacy issues which may emerge from the collection and use of medical documentation from staff, students and volunteers. For instance, the Human Rights Commission has taken the position that employers should only request and share medical information, including proof of vaccination, in a way that intrudes as little as possible on an individual’s privacy, and does not go beyond what is necessary to ensure fitness to safely perform work, protect residents receiving services in the home; and accommodate any individual needs;
- duties under the Occupational Health and Safety Act to protect workers who are not vaccinated from workplace harassment; and
- in unionized workplaces, the terms of any collective agreements in place and any obligations to consult with the union or the joint health and safety committee.
President Biden’s Cybersecurity Executive Order
President Joseph Biden issued an executive order on May 12 to improve the nation’s cybersecurity. While much of the executive order focuses on strengthening the federal government’s networks from cybersecurity threats, “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” The Biden-Harris administration hopes that the private sector will follow the federal government’s example. Among the improvements listed in the executive order are:
Enhancing Software Supply Chain Security
The executive order requires the federal government to issue guidance identifying practices that enhance the security of the software supply chain. The guidance must address secure software development environments, including the following actions:
- Using administratively separate build environments
- Auditing trust relationships (as further defined in the executive order)
- Establishing multifactor, risk-based authentication and conditional access across the enterprise
- Documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software
- Employing encryption for data
- Monitoring operations and alerts and responding to attempted and actual cyber incidents
The guidance must also address the creation and provision of artifacts demonstrating use of a secure development environment; the use of automated tools to maintain trusted source code supply chains and check for known and potential vulnerabilities; remediation of such vulnerabilities prior to product release; publication of a summary of such risks that were discovered and remediated; maintenance of accurate and up-to-date data, provenance of software code and components, and controls on internal and third-party software code or components; performance of audits of these controls regularly; provision to purchasers of a Software Bill of Materials (which is defined in the executive order) for each product (either directly or on a website); participation in a vulnerability disclosure program; attestation to secure software development practices; and attestation to the integrity and provenance of open source software used within any product.
Further, the executive order calls for the creation of pilot programs for consumer software labels addressing IoT (Internet of Things) cybersecurity criteria and secure software development practices. The criteria must reflect increasingly comprehensive levels of testing and assessment. The federal government should also consider ways to incentivize manufacturers and developers to participate in the programs.
Establishing a Cyber Safety Review Board
The executive order also calls for the creation of a Cyber Safety Review Board to review and assess significant cyber incidents (as defined under Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD-41)). The board will be modeled on the National Transportation Safety Board, which is used to investigate transportation accidents. The board’s membership will consist of both federal officials and representatives from the private sector. The board’s purpose will be to analyze significant cyber incidents and provide recommendations for improving cybersecurity.
After Much Anticipation, The U.S. Department Of Labor Issues Cybersecurity Guidance
In April 2021, the U.S. Department of Labor (DOL) announced new cybersecurity guidance (the Guidance) for protecting ERISA-covered plan data from internal and external cybersecurity threats. This Guidance is the first of its kind from the DOL and supplements DOL regulations that govern electronic records and disclosures to plan participants and beneficiaries.
The Guidance, which comes in the form of “tips” and “best practices,” is primarily directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974, as amended (ERISA), as well as service providers and plan participants. The Guidance does not have regulatory authority but does provide insight into the DOL’s expectations with respect to cybersecurity. As such, it is likely to inform enforcement activity, litigation, and service provider contracting in the future.
While the Guidance is consistent with cybersecurity measures in existing federal and state laws, and other cybersecurity guidance, standards and best practices, it focuses on cybersecurity obligations in the context of ERISA’s fiduciary obligations. The Guidance recognizes that plan sponsors and other fiduciaries have an obligation to mitigate cybersecurity risks, including by prudently selecting and monitoring service providers with strong cybersecurity practices. There are three parts to the Guidance: (1) Tips for hiring a service provider, (2) Cybersecurity program best practices, and (3) Online security tips. The first part of the Guidance sets forth tips for hiring a service provider with strong cybersecurity practices. The second part of the Guidance discusses cybersecurity best practices for recordkeepers and other service providers. The third and final part of the Guidance provides tips for plan participants.
Tips for hiring a service provider
The Guidance sets forth tips to help plan sponsors and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers upon whom they rely to maintain plan records and store participant data, focusing on due diligence and contract negotiation. The Guidance recommends that plan sponsors and fiduciaries assess their service providers’ cybersecurity practices by taking the follow actions:
- Request copies of each service provider’s information security standards, practices and policies; compare them to industry standards that have been adopted by other, similar institutions; and inquire as to how the service provider validates its practices and implements its policies and standards.
- Confirm whether and how the service provider validates its information security practices.
- Investigate the service provider’s track record of protecting plan data, such as whether the service provider has had any information security incidents or related litigation.
- Ask the service provider if it has had a data security breach, and if so, what happened and what the service provider did in response.
- Confirm the service provider has insurance that covers cybersecurity-related losses and data breaches.
- Ensure the service provider’s agreement requires ongoing compliance with cybersecurity and information security standards and also includes terms that: do not limit the service provider’s responsibility for data security breaches, include a right to audit the service provider’s compliance with its information security policies and procedures, clearly limit the use and sharing of data (including confidential information), require notification of a data breach or cyber incident, require compliance with privacy, security and data retention laws, and require the service provider to meet minimum cyber-insurance requirements.
Cybersecurity program best practices
The Guidance advises plan sponsors and fiduciaries to ensure that the service providers they hire, including recordkeepers and other service providers responsible for plan-related IT systems and data, have a formal, well-documented information security program that includes business continuity, disaster recovery, and incident response policies and procedures. Such an information security program should also:
- Include annual risk assessments and third-party audits.
- Define and assign information security roles and responsibilities, including providing sensitive information only on a need-to-know basis (i.e., access controls).
- Include cybersecurity awareness training.
- Require security control assessments of cloud and other service providers that process or store plan data.
- Implement and maintain a “security systems development lifecycle program” (e.g., vulnerability scans, code review, and architecture analysis).
- Include business continuity, disaster recovery, and incident response plans.
- Require the encryption of sensitive data at rest and in transit.
- Require the implementation of strong technical controls for hardware, software, and firmware following best practices.
- Respond appropriately to any cybersecurity incidents, including mitigating the harm and addressing the vulnerability.
Online security tips
The Guidance recommends that plan participants take the following precautions:
- Routinely monitor benefits plan accounts and keep contact information current.
- Use complex and unique passwords and multi-factor authentication for benefits plan accounts.
- Close and delete unused accounts.
- Beware of accessing accounts through public Wi-Fi.
- Beware of email and telephone phishing attacks.
- Use anti-virus software.
- Report identity theft and cybersecurity incidents to the FBI and Department of Homeland Security, and if related to your benefits plan, report to your employer.
The Guidance provides much anticipated insight into the DOL’s expectations of plan sponsors and fiduciaries in the context of cybersecurity, although it also leaves open many questions, including how the Guidance might be used in the future (e.g., DOL enforcement activity, private party litigation, service provider contracting, and the like). Plan sponsors and fiduciaries should consider incorporating the DOL’s due diligence recommendations into their hiring practices for service providers and should evaluate service providers’ cybersecurity programs in light of the DOL’s best practice criteria. Likewise, service providers may wish to review their cybersecurity programs and standard contract terms related to cybersecurity. Finally, plan sponsors should consider sharing the DOL’s online security tips with plan participants.
Biden Signs Executive Order Protecting Americans’ Sensitive Data From Foreign Adversaries
On June 9, 2021, President Biden signed an Executive Order (“June 9 E.O.”)1 elaborating on measures to protect the information and communications technology and services (“ICTS”) supply chain with specific emphasis on connected software applications.2 The June 9 E.O. directs federal agencies to (1) assess the threats posed by connected software applications controlled by foreign adversaries, (2) provide recommendations on how to protect sensitive personal data of U.S. persons, and (3) evaluate transactions involving connected software applications that pose risks to U.S. national security. The June 9 E.O. also revokes three Executive Orders issued last fall by former President Trump that targeted several Chinese communications and financial technology software applications, including TikTok and WeChat.
The June 9 E.O. also provides that the Department of Commerce is to take appropriate action in accordance with E.O. 138733 and its implementing regulations with respect to transactions involving connected software. E.O. 13873 further gives the U.S. Government remedial authority over any transaction involving ICTS from foreign adversaries, including China and Russia.
Connected software applications are designed to be used on an end-point computing device and include the ability to collect, process, or transmit data via the Internet as an integral functionality. Connected software applications can access and capture vast swaths of information from users, including personal information and proprietary business information. Such data collection threatens to provide foreign adversaries with access to that information, which in turn presents a significant threat to U.S. national security.
According to E.O. 13873, ICTS transactions are prohibited if they pose an (i) undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States, (ii) undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (iii) unacceptable risk to the national security of the United States or the security and safety of United States persons.4 (For additional context with respect to E.O. 13873 and its implementing regulations, see our previous article, New U.S. Rules on Securing the Information and Communications Technology and Services Supply Chain Mean Increased Scrutiny of ICTS Transactions.)
According to guidance published concurrently with the June 9 E.O., ICTS transactions involving connected software applications may be considered to present a heightened risk when the transactions involve applications that are “owned, controlled, or managed by persons that support foreign adversary military or intelligence activities, or are involved in malicious cyber activities, or involve applications that collect sensitive personal data.”5
As a result of the June 9 E.O., companies should be aware that connected software applications will be analyzed under the framework to protect the ICTS supply chain established under E.O. 13873. Specifically, companies should understand the capabilities of the software applications they use and whether a foreign adversary owns or controls those applications. Due diligence may require investigations into the ownership and management structures of companies operating such connected software applications.
Tax Credits Available For Employers Granting Paid Leave Related To COVID-19 Vaccinations
The American Rescue Plan Act of 2021 (ARP) allows certain businesses (generally, employers with fewer than 500 employees and non-federal governmental employers) to claim refundable tax credits as a reimbursement for the cost of providing paid sick and family leave from April 1, 2021 through September 30, 2021 to their employees due to COVID-19, including leave taken by employees to receive or recover from COVID-19 vaccinations. Self-employed individuals are eligible for similar tax credits.
The paid leave credits under the ARP are tax credits against the employer’s share of the Medicare tax and are refundable (allowing the employer to reimbursement of the full amount of the credits if it exceeds the employer’s share of the Medicare tax).
The credit is available to employers who qualify and voluntarily provide employees with Emergency Paid Sick Leave and/or Expanded Family, and Medical Leave through September 30, 2021. Employers must be aware of the new requirements under the ARP to qualify for the extended credit:
- Employers may voluntarily provide a new bank of up to 80 hours of Emergency Paid Sick Leave, for which the tax credit will apply starting April 1.
- Employers must expand their list of reasons for leave to include getting a COVID-19 vaccine, recovering from adverse reactions to the vaccine, and awaiting the results of a COVID diagnosis or test after having close contact with a person with COVID-19 or at the employer’s request.
- The first ten days of Expanded Family and Medical Leave must be paid.
- Employers who choose to provide the qualifying paid leave and want to qualify for the tax credit are prohibited from discriminating in favor of highly compensated employees, full-time employees, or based on employment tenure.
The tax credit for paid sick leave wages is equal to the sick leave wages paid for COVID-19 related reasons for up to two weeks (80 hours), limited to $511 per day and $5,110 in the aggregate, at 100 percent of the employee’s regular rate of pay. The tax credit for paid family leave wages is equal to the family leave wages paid for up to twelve weeks, limited to $200 per day and $12,000 in the aggregate, at two-thirds of the employee’s regular pay rate. Allocable health plan expenses and contributions for certain collectively bargained benefits, as well as the employer’s share of social security and Medicare taxes paid on the wages (up to the respective daily and total caps) increase the amount of the tax credit.
Employers can claim the credit on Form 941. Furthermore, employers may anticipate claiming the credits on Form 941 by retaining the federal employment taxes that they otherwise would have deposited, including federal income tax withheld from employees, the employees’ share of social security and Medicare taxes, and the eligible employer’s share of social security and Medicare taxes for all employees up to the amount of credit for which they are eligible. An employer may request an advance of the credits by filing Form 7200 if the employer does not have enough federal employment taxes set aside for deposit to cover amounts provided as paid sick and family leave wages.
For a specific explanation on how to calculate the credit, please see the instructions for Form 941.