November 2017 Screening Compliance Update

Federal Developments

CFPB Publication of Annual Maximum Charge for File Disclosures
The Consumer Financial Protection Bureau published its annual maximum charge for file disclosures.
https://www.gpo.gov/fdsys/pkg/FR-2017-11-16/pdf/2017-24855.pdf

DOT Amends Employee Drug Testing Requirements
The Department of Transportation (DOT) has published its long-awaited final rule amending its drug testing program for DOT-regulated employers. The new rule comes in the wake of the Department of Health and Human Services (HHS) revised “Mandatory Guidelines for Federal Workplace Drug Testing Programs” which became effective on October 1, 2017.

The new DOT rule makes the following significant changes:

• Adding four semi-synthetic opioids (hydrocodone, oxycodone, hydromorphone, and oxymorphone) to the drug testing panel, which is “intended to help address the nation-wide epidemic of opioid abuse” and create safer conditions for transportation industries and the public;
• Adding methylenedioxyamphetamine (MDA) as an initial test analyte because, in addition to being considered a drug of abuse, it is a metabolite of methylenedioxyethylamphetaime (MDEA) and methylenedioxymethamphetamine (“MDMA”), and such testing potentially acts as a deterrent;
• Removing testing for MDEA from the existing drug testing panel;
• Removing the requirement for employers and consortium/third party administrators (C/TPAs) to submit blind specimens in order to relieve unnecessary burdens on employers, C/TPAs, and other parties; and
• Adding three “fatal flaws” to the list of when a laboratory would reject a specimen and modifying the “shy bladder” process so that the collector will discard certain questionable specimens.

The new rule goes into effect on January 1, 2018. Employers who comply with DOT standards when drug testing should modify their drug testing policies accordingly. Employers that are not subject to DOT requirements, but comply with the HHS Mandatory Guidelines for Federal Workplace Drug Testing Programs also should consider whether to modify their drug testing policies to comply with the new rules and guidelines.
https://www.lexology.com/library/detail.aspx?g=6ccdd44f-5ac7-42e6-b89c-19b4ba88810f&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-17&utm_term
https://www.gpo.gov/fdsys/pkg/FR-2017-11-13/pdf/2017-24397.pdf
https://www.federalregister.gov/documents/2017/01/23/2017-00979/mandatory-guidelines-for-federal-workplace-drug-testing-programs

CFPB Consent Order Against Xerox
On November 20th, the CFPB entered a consent order against Xerox Business Services, LLC for allegedly providing software to clients that contained flaws causing incorrect consumer information to be sent to credit reporting agencies (CRAs), and for failing to notify clients about the flaws. According to the CFPB, Xerox provided third-party software, which automatically generated and transmitted information to CRAs regarding borrowers’ automobile loans, to clients that contained flaws causing incomprehensive information to be reported to CRAs—including the date of borrowers’ first delinquent payment, actual payment amounts, and the amount past due. In addition, the Company failed to notify clients of the software flaws. Under the consent order, the Company must: (i) Explain the errors that resulted from the flawed software to its clients, notify lenders of any future, potential, or actual errors within 30 days of its discovery, and explain the correct use of the software when the coding is revised; (ii) Provide the CFPB with a compliance plan demonstrating how the Company will identify and correct all defects in the software; and (iii) Pay a $1.1 million penalty to the CFPB’s Civil Penalty Fund.
https://www.consumerfinance.gov/about-us/newsroom/cfpb-fines-xerox-business-services-11-million-incorrect-consumer-information-sent-credit-reporting-agencies/

False Claim to Participation in Privacy Shield
FTC gives final approval to settlements with companies that falsely claimed participation in Privacy Shield.
https://www.ftc.gov/news-events/press-releases/2017/11/ftc-gives-final-approval-settlements-companies-falsely-claimed

FINRA Enforcement Action
On November 21st, the Financial Industry Regulatory Authority announced that it fined J.P. Morgan Securities, LLC $1.25 million for allegedly not conducting timely or adequate background checks on approximately 8,600 of its non-registered associated persons between January 2009 and May 2017. As a result, some individuals who were subject to a “statutory disqualification” based on their criminal history remained associated with the Company.

Court Cases

California Court: FCRA Violation Not Sufficient for Standing
Citing Spokeo, Inc. v. Robins, a California federal court tossed a background check suit against Home Depot. The plaintiff charged the employer with violating the Fair Credit Reporting Act by combining a waiver with a disclosure form, arguing the statute requires they be kept separate. Home Depot moved to dismiss, contending that the candidate failed to state an injury-in-fact as required by Spokeo. The court agreed, finding that the plaintiff’s mere allegation of a statutory violation was insufficient to establish concrete harm. “Because [the plaintiff] failed to allege a concrete injury, the court finds that [she] failed to sufficiently plead the requisite elements of standing in her complaint,” the court wrote, dismissing the suit. Katherine Saltzberg sought employment with Lifetime Solutions, a Home Depot service provider, in March 2016. In addition to her employment application, Saltzberg completed Home Depot’s standard background check forms, which consisted of two pages. The first page, titled “Background Check Candidate/Employee Information,” contained blanks for an candidate’s personal contact information, provisions stating that information obtained would not be used for purposes that violate equal opportunity laws or regulations, a liability waiver, and a signature line. The second, separate page was titled “Authorization” and included language disclosing Home Depot’s intent to conduct a background investigation, which would involve investigating the candidate’s work record, references and education, as well as a signature line. Saltzberg was hired to work for Lifetime in May 2016. But earlier this year, she filed a putative class action against Home Depot, alleging that the company violated the Fair Credit Reporting Act (FCRA) by failing to make proper disclosures and neglecting to obtain proper authorization. The combination of the two forms constituted one document, Saltzberg claimed, and ran afoul of the statutory requirement that each disclosure be provided in a separate document. Home Depot responded with a motion to dismiss, arguing that Saltzberg failed to allege an injury-in-fact as required by the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins. In that case, the justices held that a “bare procedural violation” of a statute is insufficient to confer standing where there is no real harm and that a plaintiff must show a “concrete” injury-in-fact to satisfy Article III. Applying this standard, U.S. District Judge R. Gary Klausner dismissed the case. “Saltzberg failed to plead even general allegations of injury in her Complaint,” the court said. “Saltzberg alleges that Home Depot violated [the statute] by ‘obtain[ing] consumer reports without proper authorization.’ This is ultimately an allegation of a statutory violation, not an injury-in-fact. The injury-in-fact requirement is not ‘automatically satisfie[d] … whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.’” As the plaintiff failed to sufficiently plead the requisite elements of standing in her complaint, the court lacked subject matter jurisdiction to hear the dispute. “The Supreme Court has made it clear that ‘Article III standing requires a concrete injury even in the context of a statutory violation,’” Judge Klausner wrote. “Merely asserting a violation of the FCRA is insufficient without connecting it to a concrete injury.”
To read the order in Saltzberg v. Home Depot: https://www.manatt.com/Manatt/media/Media/PDF/Newsletters/Employment/Saltzberg-v-Home-Depot-USA-Inc.pdf
https://www.lexology.com/library/detail.aspx?g=cd7b4813-0cbf-460f-9636-1cc656a06e9b&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=acc+newsstand+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2017-11-09&utm_term

Supreme Court Declines to Hear Appeal of Ninth Circuit Decision on FCRA Willfulness in Disclosure Forms
One of 2017’s more significant Fair Credit Reporting Act court opinions was the Ninth Circuit’s January 20 decision in Syed v. M-I, LLC, a putative FCRA class action. In its decision, the Ninth Circuit Court of Appeals held that a prospective employer willfully violated the FCRA by including a liability waiver in its background check disclosure form. The Court’s pronouncement was significant because it was, in a case of first impression, an appellate ruling that a particular course of conduct was willful violation of the statute as a matter of law.

The underlying case concerned a pre-employment background check disclosure form that included a waiver to discharge and release M-I from any potential liability related to the background check process. The district court dismissed the claims, finding there were insufficient allegations of willfulness. The Ninth Circuit reversed, relying on Section 1681b(b)(2)(A)’s “unambiguous” language that a disclosure must consist “solely of the disclosure.” After the Ninth Circuit denied a request for rehearing, M-I, in papers filed in June, sought review by the Supreme Court, arguing Syed lacked standing and that the Ninth Circuit’s willfulness holding was incorrect. M-I argued the case raised important issues for the industry. The case also drew a handful of amicus briefs. On November 13, in a miscellaneous orders list, the Supreme Court denied M-I’s petition for certiorari, providing no explanation for its reason for doing so. As such, the Ninth Circuit’s decision stands as the pronouncement of the issue of willfulness in the case.
https://www.lexology.com/library/detail.aspx?g=5a09f548-f283-4b47-9f79-03f91a183931&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-17&utm_term

Wal-Mart Manager Terminated for Alleged Drug Abuse Files ADA Disability Bias Claim
former Wal-Mart manager Kathryn Silva filed an ADA disability bias claim in the Middle District of Pennsylvania that alleged Wal-Mart terminated her because she refused to sign a “last chance agreement.” The agreement required her to admit to substance abuse, undergo regular drug screening, and enroll in a substance abuse program. At the time, Silva was purportedly afflicted with several conditions, including arthritis, sciatica, scoliosis, anxiety, and high blood pressure. She alleged that her doctors prescribed her medications to treat these medical conditions and enable her to perform the essential functions of her job. She further alleged that Wal-Mart declined to confirm that her doctors had legally prescribed her medication to treat her medical conditions. Due to her medical conditions, Silva is likely a “qualified individual” with a disability under the Americans with Disabilities Act (“ADA”)—an individual who, with reasonable accommodation, could perform the essential functions of the employment position that she held. See 42 U.S.C. 12111(8). ADA prohibits “covered entities”—generally employers with 15 or more employees—from discriminating against qualified individuals because of their disabilities. ADA does not, however, protect employees or candidates who are “currently engaging” in the illegal use of drugs. See 42 U.S.C. 12114(a). While it may seem obvious to employers that ADA does not prevent them from terminating substance abusers, they must be careful. ADA protects qualified individuals with disabilities who are “erroneously regarded” as engaging in illegal drug use. On the facts of Silva’s complaint alone, she appears to fit into this category. Thus, if true, Wal-Mart’s decision to terminate her for refusing to sign the last chance agreement may be a costly one. This does not mean, however, that employers may not take steps necessary to ensure drug-free workplaces. The ADA permits testing for illegal drug use. A drug test is not considered a medical examination under the ADA. As a result, employers may conduct testing of candidates or employees and make employment decisions based on the results. Employers should be cautious, however, not to make employment decisions based on drug test results that an employee’s medically necessary and legally prescribed drugs may have impacted. On the other hand, if the employer can demonstrate that the employee cannot perform the essential functions of the position when taking the medication, then the employer may take action. While a test for illegal drugs is not a medical examination under the ADA, a test for alcohol is. Thus, employers generally may not test job candidates for alcohol before offering them a position. With respect to current employees, employers may test them for alcohol if they have a reasonable belief that they are under the influence of alcohol at work. They may also test employees following a workplace accident. Finally, employers may maintain and enforce rules prohibiting employees from being under the influence of alcohol or illegal substances in the workplace. As a best practice, employers should implement policies that explain: when drug or alcohol testing may occur; how it will be administered; and that the results of the tests will be confidential. Employers should also check state and local laws regarding drug and alcohol testing.
https://www.lexology.com/library/detail.aspx?g=1fecd8d4-0510-44ae-a2c3-4ce1ba72731f&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-09&utm_term

Avis FCRA Settlement
On November 14th, car rental company, Avis, agreed to a $2.7 million class-action settlement for alleged Fair Credit Reporting Act (FCRA) violations. According to the original complaint, Lead Plaintiff Angela Fuller alleged that the Company failed to properly disclose in a stand-alone document that it might obtain her consumer report and failed to provide a pre-adverse action notice before rejecting her job application, in violation of the FCRA. The Plaintiff claimed that the information was incorrect and the Company failed to allow her to dispute the error, which prevented her from getting the job. The case is Angela Fuller v. Avis Budget Car Rental LLC et al., case number 2:15-cv-03856, in the U.S. District Court for the District of New Jersey.
https://www.lexisnexis.com/legalnewsroom/labor-employment/b/newsheadlines/archive/2017/11/20/avis-reaches-2-7m-deal-in-fcra-background-check-suit.aspx?Redirected=true

Sodexo Escapes FCRA Putative Class Action
Consumer plaintiff Robert Piveronas filed a putative Fair Credit Reporting Act class action in Pennsylvania state court against Sodexo, Inc., alleging that the multinational corporation routinely violates the FCRA’s mandate that employers provide consumers with a “clear and conspicuous” background check disclosure, consisting solely of the disclosure, before procuring a consumer report. Piveronas also alleged that Sodexo’s disclosures conflate “consumer reports” and “investigative consumer reports” under the FCRA, thus erasing the statutory distinction between the two types of reports (and the attendant obligations on employers who procure one or both). Sodexo subsequently removed the case to the United States District Court for the Western District of Pennsylvania. Shortly thereafter, the parties agreed to stay the case pending the outcome of a scheduled mediation in July 2017. Through the mediation and subsequent negotiations, the parties ultimately reached a settlement in September. On November 3, Piveronas filed a stipulation of dismissal with prejudice. Sodexo thus resolved this putative class action through an individual settlement.
https://www.lexology.com/library/detail.aspx?g=d8f0bb1e-2c2e-4960-a997-cf35ef9ab57f&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-22&utm_term

State Developments

California TNC Order
On November 9th, the California Public Utilities Commission (CPUC) issued an order that requires transportation network companies (TNCs) to use background screening companies accredited by the Professional Background Screening Association (PBSA, formerly NAPBS). Specifically, the order requires TNCs to provide proof that a background screening company is accredited by NAPBS; conduct background screenings on drivers prior to them driving for a TNC; conduct annual background screenings on drivers; and to provide proof of drivers’ annual background screenings to the CPUC.
http://docs.cpuc.ca.gov/PublishedDocs/Published/G000/M198/K780/198780048.pdf

Medical Marijuana Closer to Entering the Pennsylvania Workforce
The Pennsylvania Department of Health officially launched its medical marijuana patient and caregiver registry last week, allowing patients with specific medical conditions to sign up for a state-issued certification card. The medication is expected to be available in Pennsylvania to certified users by May 1, 2018. The Medical Marijuana Act (SB 3) went into effect in 2016 and legalized medical marijuana for use by patients who suffer from qualifying conditions and who register with the state. Medical marijuana will only be available legally in certain forms and must be prescribed by a physician specifically licensed by the state. More than 100 physicians in Pennsylvania have been approved to participate in the medical marijuana program, and nearly 200 more are scheduled to take the required training.

The Medical Marijuana Act includes an employment non-discrimination provision preventing employers from taking adverse action against an individual solely on the basis of their status as a certified user of marijuana. However, it does not give employees the right to show up at work under the influence or otherwise fall below expected performance standards. Governing regulations hopefully will clarify employer obligations in this context.
https://www.lexology.com/library/detail.aspx?g=0848376b-e039-4034-bb4f-075339ec851f&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-08&utm_term

Employers Can Expect New Problems When Recreational Marijuana Hits New Jersey
Since 2010, cannabis use has been limited to medicinal purposes under the New Jersey Compassionate Use Medical Marijuana Act (CUMMA), codified at N.J.S.A. 24:6I-1, et seq. Under CUMMA, employers must reconcile accommodating employee-alleged disability (that is treated by prescription marijuana) with the competing need to ensure a safe and unimpaired workforce. CUMMA does not prevent employers from disciplining or terminating impaired employees, as the law specifically prohibits anyone—even someone with a prescription—from operating any vehicle or stationary heavy equipment while under the influence of marijuana. N.J.S.A. 24:6I-8. Likewise, nothing in CUMMA requires any New Jersey employer to accommodate the medical use of marijuana in any workplace. N.J.S.A. 24:6I-14.

New Jersey Law in 2018
Anticipating a change in administrations, New Jersey’s legislature introduced Bill S3195 in June 2017. If enacted, S3195 will legalize recreational marijuana use in New Jersey. Among other things, the bill will allow for the possession of up to one ounce of dried marijuana, 16 ounces of edible cannabis products, and 72 ounces of cannabis in liquid form. The sales tax on recreational purchases will start at seven percent in the first year, rising by five percent annually thereafter. Recreational marijuana would first be sold at the five existing medical marijuana dispensaries in New Jersey (in Bellmawr, Cranbury, Egg Harbor, Montclair, and Woodbridge), with other licensed locations to follow. S3195 mirrors CUMMA because it does not require any New Jersey employer to permit or accommodate marijuana use in the workplace. Likewise, it does not affect the ability of employers to maintain zero-tolerance policies prohibiting marijuana use or intoxication by employees during work hours. S3195, however, differs from CUMMA in one significant respect: It creates a separate cause of action making it unlawful for employers to take “any adverse employment action” against an employee merely because that person uses marijuana. Refusing to hire, or firing, such employees are two actions prohibited by S3195. This baseline prohibition is softened by only two caveats. First, an employer may affirmatively assert the defense that it has “a rational basis” for the adverse employment action which is “reasonably related to the employment.” This presumably includes safety-sensitive positions and instances in which the responsibilities of the current or prospective employee mandate the need for drug-free personnel. Second, employers will remain free to take adverse employment action against an employee if failure to do so places the employer in violation of federal law or causes it to lose a federal contract or funding.

Employers’ Bottom Line
The new legal claim created by S3195 joins New Jersey’s Law against Discrimination and Conscientious Employee Protection Act as yet another legal landmine facing New Jersey employers. Early indicators suggest S3195 will be fully implemented by the summer of 2018. In advance, hiring and disciplinary procedures and protocols should be updated to both maximize compliance with this new law and minimize management’s potential liability.
https://www.lexology.com/library/detail.aspx?g=0d67c5a9-e4b3-4305-a13b-7261daac4aa5&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-17&utm_term

Maine Legislature Fails to Override Governor’s Veto of Recreational Marijuana Law
On November 8, 2016, Maine voters approved “Question 1—An Act to Legalize Marijuana” (“Act”), and joined a handful of other states, including California, to have legalized the recreational use, retail sale and taxation of marijuana. As approved, the Act would have allowed persons 21 years of age or older to use or possess up to 2½ ounces of marijuana, consume marijuana in nonpublic places (including a private residence), and grow, at the person’s residence, up to 6 flowering marijuana plants (and up to 12 immature plants). The Act also would have legalized the purchase of marijuana or marijuana seedlings or plants from retail marijuana stores and cultivation facilities. Importantly for employers, the Act was the first law of its kind in the nation establishing express anti-discrimination protections for recreational marijuana users.

The Act was to become fully effective on January 30, 2017. However, on January 27, 2017, the legislature approved a moratorium on implementing parts of the law regarding retail sales and taxation until at least February 2018, giving time to resolve issues and promulgate rules.

However, on November 3, 2017, Governor Paul R. LePage vetoed the Act. In a letter to the legislature, the Governor outlined various reasons for his decision, including conflict between state and federal law, the Act’s failure to address compatibility issues with the state’s existing medical marijuana program, the Act’s bifurcated regulatory structure, and timelines the Governor viewed as unrealistic. On November 6, 2017, the Maine legislature sustained the Governor’s veto. Although Maine employers may have a reprieve from a recreational marijuana law, Maine employers with workplace policies in other jurisdictions should consider making clear that as marijuana is still illegal under federal law, it is considered an illegal drug under the drug-free workplace policy, taking steps to minimize the risks of negligent actions and safety concerns that may be caused by marijuana use, and having conversations with drug testing vendors to determine how positive marijuana tests will be handled and reported where medical marijuana is approved.
https://www.lexology.com/library/detail.aspx?g=1b3db8af-de34-419d-9c93-3144f4d66735&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-20&utm_term

Medical/Recreational Marijuana in the “Workplace”
Marijuana remains illegal under federal law. However, there are many states, and a few cities, which have legalized medical and recreational marijuana—creating challenges for employers, as these laws “sprout up” across the country. Also, prior to now, the caselaw was quite clear—an employer could discipline an employee for lawful use of marijuana. See Coats v. Dish Network, LLC, 350 P.3d 849 (Colo. 2015). But the law appears to be changing, as recent cases indicate that courts are beginning to recognize that employees who are lawful users of marijuana are entitled to some protection. It is a trend that employers need to watch. A quick check of the states where recreational or medical marijuana is legal:

Medical—

Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Ohio, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, and West Virginia.

The above list does not include states where the drug is approved for more limited uses and/or conditions. In addition, the 2017 November elections reflected victories for many pro-pot politicians and legislations, including in New Jersey and Virginia.

Recreational—

Alaska, California, Colorado, Maine, Massachusetts, Nevada, Oregon, and Washington.

Massachusetts: July 2017
In Barbuto v. Advantage Sales & Marketing, LLC, the Supreme Judicial Court of Massachusetts examined the legal rights of those using medical marijuana, after an employee, terminated for a positive marijuana test sued her former employer. 477 Mass. 456 (2017). Plaintiff Barbuto, who suffered from Crohn’s disease, was offered a position with Advantage. She informed a company representative that she would test positive for marijuana on the mandatory drug test, as she was prescribed medical marijuana. Following assurance that the marijuana use should not be a problem, Ms. Barbuto underwent the drug test and completed her first day of work. However, that evening, a Human Resources representative contacted Ms. Barbuto and terminated her for testing positive for marijuana, allegedly stating, “we follow federal law, not state law.” Ms. Barbuto sued Advantage as well as the individual who terminated her employment.

A lower court granted a motion to dismiss on most claims. However, this was reversed on appeal, finding that Ms. Barbuto had a claim for handicap discrimination in violation of Massachusetts state law, as she was lawfully using medical marijuana. The employer advanced two arguments: Advantage argued that (1) the only accommodation Ms. Barbuto requested was illegal under federal law and thus “facially unreasonable” and (2) even if Ms. Barbuto was a “qualified handicapped person,” she was terminated because she failed to pass a drug test required to be passed by all employees, not because of her handicap. The appellate court rejected both arguments but was careful to note that allowing Ms. Barbuto’s handicap discrimination claim to survive did not necessarily mean Ms. Barbuto would be able to successfully establish a claim. The court opined that at later phases of the case, the employer may be able to successfully show that Ms. Barbuto’s use of medical marijuana constituted an undue hardship. Following the July 2017 decision, the case continues to move through Massachusetts’s lower court system.

Connecticut: August 2017
The issue moved across state lines into Connecticut the following month, with a federal district court’s August 8, 2017 decision in Noffsinger v. SSC Niantic Operating Company LLC, No. 3:16-CV-01938(JAM), 2017 WL 3401260 (D. Conn. Aug. 8, 2017). In Noffsinger, once again within the context of a motion to dismiss, the court addressed an issue of first impression and held that a plaintiff who uses marijuana for medicinal purposes in compliance with Connecticut law may maintain a cause of action against an employer who refuses to employ her as a result of this use.

The case arose when the plaintiff, Katelin Noffsinger, an individual who had been prescribed medical marijuana as a treatment for posttraumatic stress disorder, applied for and was hired as a director of recreational therapy for a long-term care facility. As part of the onboarding process, Ms. Noffsinger was required to take a drug test. She provided the employer with her medical marijuana registration certificate, and said she only used the drug when off-duty. However, the day before Ms. Noffsinger was scheduled to begin work, the company rescinded her job offer due to her positive drug test result.

Ms. Noffsinger sued, including claims of a violation of the Connecticut “Palliative Use of Marijuana Act” (“PUMA”) and negligent infliction of emotional distress. The company moved to dismiss. In its decision denying the employer’s motion with respect to the above claims, the federal court carefully considered PUMA, which provides explicit protection against employment discrimination based on use of medical marijuana. Specifically, PUMA provides that, “[n]o employer may refuse to hire a person or may discharge, penalize or threaten an employee solely on the basis of such person’s or employee’s status as a qualifying patient…” Conn. Gen. Stat. Ann. § 21a-408p. The employer argued that PUMA was preempted by the Federal Controlled Substances Act, the Americans with Disabilities Act and the Federal Food, Drug, and Cosmetic Act. The court concluded that the state law was not preempted by any of the asserted federal laws and denied the company’s motion to dismiss on the PUMA and negligent infliction of emotional distress claims. The case is currently being litigated in the District of Connecticut.

New York City: July 2017
Finally, the little green plant also hit the big apple this summer, within the context of an administrative hearing at the New York City Taxi and Limousine Commission. There, an Administrative Law Judge concluded that the Commission could not revoke a driver’s TLC license after the driver tested positive for marijuana, due to his legal use of the drug in accordance with the New York State Compassionate Care Act. The ALJ reasoned that a finding of unfitness for a license based upon a “failed drug test as a result of illegal drug use” was not applicable to the driver’s legal use. While not an employment case, such a decision may provide insight into where both the city and state of New York will go in the near future.

Practical Implications for Employers
Do the above decisions mean employees are free to “light up” in your workplace? No. Can employees come to work high? No. Many employers are confused about the legalization of marijuana, but it is a simple proposition: Employers should follow state law, and treat an employee who is lawfully using marijuana the same way they would treat any employee’s lawful use of another drug.

• If it is prescribed, employees still cannot use marijuana while on duty.
• If the employee is a recreational user, they also cannot use it at work or be allowed to work under the influence.

However, the decisions depict a trend of court acceptance of off-duty use of medical marijuana in accordance with state laws. Such decisions have important ramifications for employer drug-testing programs and policies—both of candidates and employees. Before terminating an employee or rescinding a job offer based on a positive test, employers should carefully consider any relevant statutory language (e.g., does your state provide specific protection to employees like Connecticut’s?) as well as recent case law. At the end of the day, an employer’s ability to restrict off-duty use of marijuana may just be off-limits.
https://www.lexology.com/library/detail.aspx?g=b38a2ebd-8ff4-4fbe-9ce7-66de4889dd27&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-24&utm_term

Arizona Governor Signs Executive Order Banning the Box
On November 6, Arizona governor Doug Ducey signed an executive order making Arizona the most recent state to adopt a “ban the box” law. The state joins Pima County and Tucson—Arizona localities that have already joined the “ban the box” movement. Under the new policy, state agencies will delay questions related to an employment candidate’s criminal record until after the initial stages of interviewing (i.e., until an candidate has submitted an application and received an initial interview). Gov. Ducey deemed the new law the “The Second Chance” order. “All Arizonans, no matter their background or past mistakes, deserve a chance to make a living and a better life for themselves and their families,” he remarked. “If you served your time and paid your debt to society, you should have the opportunity for a real second chance.” The Governor’s Office estimates that 1.5 million Arizonans have a criminal past, and studies show that past criminal convictions reduce a job candidate’s chances of receiving a second interview by fifty percent. Gov. Ducey’s announcement touted the order as having the potential to save taxpayer resources and of boosting the state’s economy.
https://www.lexology.com/library/detail.aspx?g=e47d3ced-bb50-4bfb-aa34-2882d5242805&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-09&utm_term

Albany County, New York Passes Salary History Ban
Last month, the Albany County Legislature unanimously voted to amend the Albany County Human Rights Law to prohibit employers from requiring job candidates to provide prior or current salary information before offering them employment. (The text of the bill can be located here.) Earlier last week on November 6, 2017, Albany County Executive Daniel McCoy signed the bill into law. The law will go into effect thirty days after it is filed with the New York Secretary of State. The law will prohibit all Albany County employers with four or more employees, and employment agencies, from:

• screening candidates based on their current or prior wages or other compensation;
• requiring that an candidate’s prior wages satisfy minimum or maximum criteria;
• requesting or requiring that candidates disclose salary history information as a condition of being interviewed or considered for employment; and
• seeking information about the current or prior salary of an candidate from his or her current or former employers.

The Albany County law contains a narrow exception. Only after extending an offer of employment “with compensation” details to the candidate, and with the written authorization of the candidate, employers or employment agencies may confirm the prior wages, benefits or other compensation history of the candidate.
https://www.lexology.com/library/detail.aspx?g=72101245-9664-434a-a281-fc16a01bbd11&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-14&utm_term

Spokane County Adopts Ban the Box Policy
The Spokane County Board of Commissioners voted to remove questions about past criminal convictions from county job applications. The new hiring policy means job candidates will no longer be asked to disclose criminal convictions from the past 10 years, and the county will not conduct a background check until after it determines a candidate is otherwise qualified. Nationwide, more than 150 cities and counties have moved to “ban the box” and give candidates with convictions a fairer chance of getting hired, according to the National Employment Law Project. The city of Spokane joined that list in 2014.
http://www.spokesman.com/stories/2017/oct/27/spokane-county-bans-the-box-wont-ask-job-candidate/

Delaware Law Prohibits Employers from Requesting Compensation Information
On Thursday, December 14, 2017, a new law will take effect in Delaware forbidding employers from requesting compensation history from job candidates. The stated purpose of Delaware’s new law is to close the pay gap between men and women within Delaware.

Specifically, starting on December 14, 2017, it will be unlawful for employers in Delaware to

• “[s]creen candidates based on their compensation histories, including by requiring that an candidate’s prior compensation satisfy minimum or maximum criteria,” or
• “[s]eek the compensation history of an candidate from the candidate or a current or former employer.”

Title 19 of the Delaware Code broadly defines “compensation” to include “monetary wages as well as benefits and other forms of compensation.” As written, this definition may be interpreted by regulators and courts to encompass topics typically discussed between employers and candidates during the application process, including, but not limited to, salary, bonuses, deferred compensation, vacation, medical benefits, and leave policies. The new law expressly states that it does not prohibit an employer or an employer’s agent from discussing or negotiating “compensation expectations” provided that the employer or the employer’s agent does not request or require the candidate’s compensation history. In addition, after an offer of employment “with terms of compensation” has been extended to an candidate, employers are permitted to seek the candidate’s compensation history for the sole purpose of confirming that information. Employers using recruiters also need to adjust hiring practices because the law holds employers liable for the actions of their “agents.” There is, however, a defense for employers if they can demonstrate that agents or recruiters acting on an employer’s behalf were informed by the employer of Delaware’s new statutory requirements and instructed by the employer to comply with the new statutory requirements while acting on the employer’s behalf. The new law provides that the Delaware Department of Labor (DDOL) has the authority to enforce its provisions. It further provides for civil penalties ranging between $1,000 and $10,000 per violation for employers who fail to adjust their interview and application processes in compliance with the new law. Employers should revise existing handbooks, policies, and trainings to prohibit inquiries into wage history during interviews or at any time in the hiring process. Additionally, Delaware employers need to ensure that they communicate these new restrictions to recruiters and any other agents acting on their behalf during the interview and hiring process.
https://www.lexology.com/library/detail.aspx?g=b3cf9f02-e2b3-4be1-9d37-76e14f3250aa&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=acc+newsstand+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2017-11-21&utm_term

New California Law Adds to List of Sex Offenses Affecting Teacher Credentialing and Employment
California has taken an important step in protecting students from being subjected to sexual misconduct by teachers. Recently, the California legislature enacted AB 872, which makes all sex offenses that require registration as a sex offender now also result in the immediate suspension of a teacher’s credential. The bill amends Education Code Section 44010 to add Penal Code Section 288.2, which relates to the sending or delivering of sexual material to minors, and Penal Code Section 290(c), which lists the crimes for which a convicted person must register as a sex offender. AB 872, which is effective January 1, 2018, will also require the Commission on Teacher Credentialing to deny or revoke a teacher’s credential and for a public-school employer to deny employment or terminate classified employees for a conviction of any of the above crimes. In addition, certificated employees who are charged with any of the above crimes are now subject to the compulsory leave of absence provisions of Section 44940. The practical effect of the legislation will be to make it easier for public school employers to suspend and terminate such employees and keep them away from students who could potentially be harmed.
https://www.lexology.com/library/detail.aspx?g=64ee21f1-cad2-4af1-99d1-23e47c36746d&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-17&utm_term

International Developments

Non-Medical Marijuana Use at Work in Canada
With the proposed Cannabis Act looking to legalize recreational marijuana in Canada in July of 2018, employers are wondering how the new legislation will affect their workplaces and how they can prepare for the potential multitude of issues that may in turn emerge as a result of this new legislation. Once passed, the Cannabis Act will permit Canadians who are 18 years or older to: a) possess up to thirty (30) grams of cannabis; b) share up to thirty (30) grams of cannabis with other adults; c) purchase dried or fresh cannabis from a provincially licensed retailer; d) grow up to four (4) cannabis plants; and e) make cannabis-infused food and drinks. Although the provisions of the Cannabis Act may be altered prior to July 2018, it is clear that employees across all types of industries will have access to marijuana, bringing with it concerns of how employers can appropriately address any potential risks and/or discipline should employees attend the workplace while under the influence of the drug. Employers can be assured that once recreational use of marijuana is legalized, non-medical use of marijuana can be treated similarly to most employers’ current drug and alcohol policies (see our article, “Medical Marijuana Use in the Workplace” for more information). Employers will still be able to prohibit the use of marijuana during work hours, and to further prohibit attendance at work while impaired or under the influence of recreational marijuana. Any violation of the employer’s workplace policies in this regard could result in discipline, up to and including termination.

Policies
The case law continues to evolve in regard to marijuana use in the workplace, and will continue to evolve with the Cannabis Act coming into force in 2018. This will no doubt lead to further contentious issues between employers and employees, including elements of discipline, accommodation, and various other workplace policies.

Employers are encouraged to place a high priority on making changes to workplace policies which set out procedures for dealing with marijuana use in the workplace prior to any problem arising. The updated drug and alcohol policies should make specific mention of how non-medical marijuana use will be addressed in the workplace, and should include the following aspects:

• duty to disclose any use of marijuana in the workplace;
• consequences of noncompliance, including appropriate progressive disciplinary procedures;
• modifications to human rights and accommodation policies to specifically deal with issues relating to marijuana dependency;
• establishing a framework for testing for impairment, including triggering circumstances and testing methods; and
• proper training of management and supervisory staff on the application of all policies relating to medical and non-medical use of marijuana in the workplace.

Educating employees and management on the policy changes and how they are to be administered is also key. Further, to avoid restricting employment opportunities in a manner that contravenes the Code, employers need to ensure that any employment standards, policies or rules:

• are rationally connected to the performance of the job;
• are adopted in an honest and good faith belief that they are necessary to the fulfillment of a legitimate work-related purpose; and
• are reasonably necessary to accomplish the legitimate work-related purpose.

Drug Testing
Currently, testing for marijuana use is difficult as there is no medical test that comprehensively or reliably indicates the level of a person’s impairment due to marijuana use. Unlike alcohol, marijuana can be detected in the bloodstream days after ingestion, and levels of THC (the active ingredient in marijuana) do not necessarily correspond with levels of impairment. Further, the Supreme Court of Canada has stated that employers are required to balance their interest in drug testing to ensure a safe work environment with employee privacy interests.

Courts have held that completely random drug testing of an employee is not permitted, however, if an employer has reasonable cause to believe an employee is under the influence of marijuana, the employer can insist on that employee submitting to a drug test. As indicated earlier, it is in an employer’s best interest to have strong drug and alcohol policies in place prior to the Cannabis Act coming into force that include reasonable cause expectations and the resulting procedures. For example, whether a reasonable cause drug test is in order is entirely fact specific. The employer must show evidence of a reasonable belief that the employee had used marijuana. Such evidence would include physical evidence of the employee (bloodshot eyes, slowed reaction time) as well as situational evidence (smell of marijuana smoke, discarded marijuana paraphernalia near the incident scene). Outlining the expectations of reasonable belief to employees prior to the enactment of the Cannabis Act strengthens an employer’s position if and when the time came to consider whether circumstances warrant requiring a drug test and/or implementing a form of discipline as a result of suspected impairment. Canadian case law also recognizes that an employee’s refusal or failure to undergo an alcohol or drug test in the circumstances described above may properly be viewed as a serious violation of an employer’s drug and alcohol policy, and may itself be grounds for serious discipline. Notwithstanding these restrictions, the Supreme Court confirmed there are instances where random testing policies may be allowed, such as in workplaces that are safety sensitive and where there is a demonstrated problem of ongoing drug use in the workplace. Post-incident testing is also typically permitted in cases where a workplace incident or a “near-miss” has occurred and evidence to suggest that impairment may have been a factor exists. In these instances, the infringement on the employee’s privacy rights is outweighed by the “gain” an employer may receive with respect to safety.

Similar to alcohol, testing for marijuana use may also be justified as part of a rehabilitation or return to work program of an employee who works in a safety sensitive position and has shown a pattern of behavior where use of marijuana is central to the problem.

In several cases, dismissal or discipline based solely on the testimony of witnesses present at the time, or the mere observing of marijuana use without corroborating physical evidence, has not been found to be compelling enough to satisfy arbitrators that the employer has established its case. The Supreme Court of Canada has stated that there is only one civil standard and in all cases, the evidence must be carefully scrutinized and must be sufficiently “clear, convincing and cogent” to establish the balance of probabilities test.

Be forewarned, however, that a refusal of a drug test or testing positive for marijuana use does not necessarily justify automatic termination of employment. The appropriate disciplinary action in these types of cases must be determined on a case by case basis, having regard to the relevant facts, as well as being cognizant of any just cause provisions of any applicable collective agreement or employment agreement between the parties. Employers with strong workplace policies and procedures, which take into account Human Rights legislation, the current Access to Cannabis for Medical Purposes Regulations and the proposed Cannabis Act, will be well-positioned to educate employees of their workplace responsibilities and expectations prior to the proposed Cannabis Act coming into force, and in turn, heading off potential issues which may have otherwise occurred.
https://www.lexology.com/library/detail.aspx?g=ccead481-1e71-433c-b02f-4c26e73eaf23&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-17&utm_term

Facilitation Payments No Longer Permissible Under Canadian Anti-Corruption Law
Canada’s repeal of the “facilitation payments” exception in its foreign anti-corruption law widens the rift between the United States, which permits such payments, and the majority of other countries, which prohibit them. On October 30, 2017, the Canadian government repealed its facilitation payments exception for bribery offenses under the Canadian Corruption of Foreign Public Officials Act (CFPOA), an anticorruption statute with extraterritorial reach that had permitted such payments since its implementation in 1999. The long-anticipated move followed the February 2013 introduction of Bill S-14 (An Act to amend the Corruption of Foreign Public Officials Act), which provided for the elimination of the facilitation payments exception at a future date. The delayed implementation of the facilitation payments repeal was intended to allow businesses adequate time to prepare for the legislative change. Facilitation payments are now prohibited under Canadian law, whether the payments occur in Canada or abroad.

What are facilitation payments?
Section 3(4) of the CFPOA previously defined “facilitation payments” as payments “made to expedite or secure the performance by a foreign public official of any act of a routine nature that is part of the foreign public official’s duties or functions.” Examples of facilitation payments—which are occasionally referred to as “grease” or “expediting” payments—include payments for:

• issuance of government permits, licenses, or other documents to qualify entities/individuals to conduct business
• processing of official documents, such as visas and work permits
• provision of services normally offered to the public, such as mail pickup and delivery, telecommunication services, and power and water supply and
• provision of services normally provided as required, such as police protection, loading and unloading of cargo, the protection of perishable products or commodities from deterioration or the scheduling of inspections related to contract performance or transit of goods.

The CFPOA’s facilitation payment exception did not extend to payments related to “decision[s] to award new business or to continue business with a particular party,” including “decision[s] on the terms of that business, or encouraging another person to make any such decision[s].”

The CFPOA contains a “local law” defense that may exempt some facilitation payments from prosecution. The defense provides that payments are permissible where they are “permitted or required under the laws of the foreign state or public international organization for which the foreign public official performs duties or functions.” So, for example, some governments offer Canadian citizens a two-track option for requesting foreign visas, normal and expedited, with the prices published in a government-issued fee schedule. There is no question that a higher payment made for the quicker processing time is intended to “expedite…the performance by a foreign public official of any act of a routine nature that is part of the foreign public official’s duties,” and involves the “processing of official documents,” but such payment would not run afoul the CFPOA’s anti-bribery provisions if it is “permitted or required under the laws of the foreign state.”

How do other countries treat facilitation payments?
While the UK Bribery Act 2010 (Bribery Act) does not address facilitation payments in its statutory text, the UK Serious Fraud Office (SFO) has issued guidance unequivocally prohibiting such payments: “A facilitation payment is a type of bribe and should be seen as such. Facilitation payments were illegal before the Bribery Act came into force and they are illegal under the Bribery Act, regardless of their size or frequency.” Prior to initiating an enforcement action for a facilitation payment, SFO prosecutors must apply the Full Code Test, which states that “[p]rosecutors must be satisfied that there is sufficient evidence to provide a realistic prospect of conviction against each suspect on each charge” and believe that the “prosecution is required in the public interest.”

The U.S. Foreign Corruption Practices Act (FCPA), in contrast to the Bribery Act and recently-amended CFPOA, exempts from its bribery offenses offers or payments provided in exchange for routine government actions. The FCPA states that its anti-bribery prohibition “shall not apply to any facilitating or expediting payment to a foreign official, political party, or party official the purpose of which is to expedite or to secure the performance of a routine governmental action.” While the exception “focuses on the purpose of the payment rather than its value,” regulators have cautioned that the size of the payment “can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action.” The United States is in the minority of countries that tolerate facilitation payments in their international anti-corruption laws. Most countries have embraced the recommendations of the Organization for Economic Co-Operation and Development (OECD), which describe facilitation payments as “corrosive” and recommend that member-countries “encourage companies to prohibit or discourage the use of small facilitation payments.”

What are the implications for companies?
Companies subject to the CFPOA which have compliance policies or practices that previously allowed employees or third-party agents to make facilitation payments, or whose compliance policies are silent on the subject, should take immediate action to revise those policies, prohibit facilitation payments and educate relevant personnel about the changes. This may require a review of the companies’ interactions with foreign governments and an understanding of the extent to which any payments for governmental services are required under the foreign law. Under the Canadian Criminal Code, violations of the CFPOA are punishable by both fines and imprisonment.
https://www.lexology.com/library/detail.aspx?g=e675a91b-a058-40f2-ade1-25360097629c&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-20&utm_term

ICO Warns Data Brokering Industry After Issuing £80,000 Fine to Unlawful Data Supplier
A firm trading in people’s personal information and describing itself as ‘the UK’s Premier Lead Generation Provider’ has been fined £80,000 by the Information Commissioner’s Office (ICO). Verso Group (UK) Limited failed to comply with data protection law because it was not clear with people about what it was doing with their personal information.
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/11/ico-warns-data-broking-industry-after-issuing-80-000-fine-to-unlawful-data-supplier/

EU Parliament Approves Electronic Border Program
On October 25th, the European Parliament approved a new electronic entry-exit system (EES) that will collect and store biometric information for non-EU visitors traveling between countries in the Schengen Zone. The new system will apply to visa and visa-exempt travelers admitted to the EU for 90 days. The system will collect travelers’ personal information including names, travel documents, fingerprints, facial images, and whether they enter, exit, or are refused entry into the Schengen area. The data will be retained for three years and for overstayers five years. The EES is expected to be implemented by 2020.
http://www.europarl.europa.eu/news/en/press-room/20171020IPR86543/strengthening-security-checks-at-europe-s-borders
http://www.computerweekly.com/news/450428966/EU-to-collect-biometrics-of-all-visitors-which-could-include-UK-citizens-post-Brexit

Why U.S. Companies Should Be Aware of the Long-Arm of the EU General Data Protection Regulation (GDPR)
The European Union’s (EU) General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. Unlike some data privacy laws which regulate organizations within their territorial jurisdiction, or regulate the data of their citizens, the GDPR covers nearly any personal data gathered on persons physically in the Union, regardless of citizenship status or geographic location of the organization. This broad reach will place many American organizations under the regulatory hand of the European Union. The privacy regulation implemented by the GDPR covers personal data (which can be name, address, location data, financial information, health information, cultural information, and more) of persons physically located in the European Union when that data was generated or acquired. Organizations that collect this data directly, or process this data for other organizations are governed by the GDPR. Article 3 of the GDPR is titled “Territorial Scope.” The scope of the regulation is not limited to the territory of an organization, but the territory of the data subject. Specifically, Article 3 states: This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
• the monitoring of their behavior as far as their behavior takes place within the Union.

Put plainly, if your organization has any personal data of a person in the EU, or gathered from a person while they were in the EU, your organization is within the scope of the GDPR. The lengthy regulation is supplemented by many articles from the “Article 29 Working Party” outlining how the regulation should be interpreted and enforced. The changes your organization will need to implement will depend on a variety of factors including the type and amount of data for which your organization is responsible. The GDPR carries strict data breach notification requirements, security requirements, and consent requirements. In the United States, people generally do not have the right to access data which companies hold, even when that data pertains to them. The GDPR gives persons the right to view, withdraw consent, and even order organizations to delete information on them within certain constraints. Setting up the organizational methods to deal with such requests will be a necessity for many American companies. Penalties for non-compliance with the GDPR can be severe. The GDPR permits fines up to 20 million Euros or 4% of annual global revenues, whichever is higher. Many U.S. companies might prudently wonder how an EU member state could levy a fine against them. The GDPR contemplates several ways an EU member state may sanction a noncompliant organization. First, if the American company has established a location in the EU then they can be sanctioned directly. Second, some companies that process a significant amount of EU data must designate a representative located in an EU member state to work with the regulators to ensure compliance and to accept sanctions from the regulators on behalf of the company. Finally, we can look back to Article 3 to see the GDPR asserts its authority over “a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” As the GDPR is not in force it is not clear to what extent an EU member state would leverage an international treaty with the US, or an agreement with the FTC to enforce its regulation on a company located exclusively in the U.S. without a designated representative in the EU, but they clearly are claiming the right to do so.
https://www.lexology.com/library/detail.aspx?g=4e868489-1cd9-4d1c-91ce-2535991e8a06&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=acc+newsstand+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2017-11-02&utm_term

Does Your U.S. Company Pull Data from European Citizens? Fall in Line with GDPR by May 2018 or Suffer Substantial Fines
The European Union (“EU”) has enacted a strict, comprehensive framework of security regulations aimed to protect its citizens. These regulations, known as the General Data Protection Regulation (“GDPR”), provide a blueprint for a combination of required legal, technological and work habits within an organization. Although this is an EU regulation, the new laws will apply to any organization within or outside the EU that collects or processes data of EU citizens. Therefore, U.S. companies must analyze their data and processes to determine whether compliance with the GDPR is necessary. A quickly-approaching deadline of May 25, 2018 must be met to avoid massive fines.

What is the GDPR?
In order to address the creation of social networking sites, cloud computing, and location-based services, the EU set in motion a process to implement a vigorous set of rules to ensure the right to personal data protection for all European citizens. In April 2016 the European Parliament, the Council, and the Commission adopted a new GDPR, which will take effect on May 25, 2018. This GDPR will streamline cooperation between the data protection authorities on personal data issues allowing companies to deal with one authority—not each of the 28 EU member states. This will allow for quicker decisions by the data protection authorities and greatly reduce the red tape in both compliance and enforcement under the GDPR. This will also create a level playing field by forcing non-EU companies to comply with the same strict regulations—regardless of whether or not the company is established in the EU.

Territorial Scope of the GDPR
The GDPR applies directly to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU—regardless of whether the processing takes place in the EU. Additionally, there are specific provisions under the GDPR that apply to non-EU companies if their processing activities relate to (a) the offering of goods or services (irrespective of whether a payment of the data subject is required) or (b) monitoring the behavior of individuals within the EU. Therefore, all companies must determine whether they process or monitor information of EU citizens. If a company falls within one of these categories, compliance with the GDPR is mandatory.

What happens if a company fails to comply with the GDPR?
Failure to comply with the GDPR could subject a company to crushing administrative fines.
The supervisory authority has the power to impose administrative fines under the GDPR. The following violations and breaches would subject a company to administrative fines:

• Not adhering to the core principles of processing personal data,
• Breach of notification to EU citizens by controllers and processors,
• Wrongful transfer of personal data to non-EU countries,
• Breach of obligations regarding certification,
• Ignoring the mandates asserted by the supervisory authority,
• Breach by those responsible for impact assessment, and
• Wrongful processing of employee data.

The extent of the violation and type of personal data involved will dictate the severity of the administrative fines imposed on a company. For example, under the GDPR, a company could be subject to administrative fines up to 20,000,000 EUR, or up to 4% of the total worldwide annual revenue of the preceding financial year. Obviously, these fines would be financially crippling to any company.

Preparing for May 25, 2018
The May 25, 2018 deadline is fast approaching and preparing for full compliance with the GDPR is paramount. Simple steps should be taken to ensure compliance including to:

• Review and analyze data repositories for sensitive data,
• Perform an analysis/accounting of procedure for data collection, and
• Create an oversite committee dedicated to data activities and compliance.

Most importantly, however, is to determine whether compliance with the GDPR is necessary, and strictly follow the requirements of the GDPR to protect from potentially massive fines
https://www.lexology.com/library/detail.aspx?g=a9387243-f40f-44a9-8cb8-e40330e8d2ea&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-17&utm_term

European Commission Law Enforcement Data Proposal
On November 9th, a European Commission official said that the Commission hopes to create a new EU-US agreement that would allow law enforcement to access data from technology companies located in the U.S. EU officials have suggested this agreement to U.S. Attorney General Jeff Sessions, but have yet to receive a response. Currently, the Commission is drafting new rules that would allow law enforcement within the EU to access data, known as e-evidence, from other member states. The European Commission plans to propose these rules by January 2018. However, privacy advocates have warned against any rule that would allow law enforcement to request information directly from a company. Instead, they suggest reforming existing mutual legal assistance treaties to allow data to be transferred faster.
http://www.euractiv.com/section/data-protection/news/commission-wants-to-extend-law-for-police-data-access-to-the-us/

EU Cyber Insurance Guidelines
On November 16th, Euractiv reported that the European Union Agency for Network and Information Security (ENISA) has suggested that more companies take out cyber insurance policies to mitigate losses following a cyberattack. According to the Agency, “increased adoption of cyber insurance would prepare the market to respond more effectively to large-scale incidents such as WannaCry and NotPetya.” ENISA suggested that legislators should discuss liability issues relating to cybersecurity incidents, and has proposed collaborating with the European Commission to develop guidelines for insurance companies, including how to assess organizations’ cybersecurity risks. The agency also recommended that the EU create a centralized database on cybersecurity incidents so companies could compare information about hacking incidents across multiple sectors.
http://www.euractiv.com/section/cybersecurity/news/eu-guidelines-would-help-cyber-insurance-industry-agency-says/

India’s Aadhaar Data Breach
On November 20th, IB Times reported that India’s Unique Identification Authority of India (UIDAI) announced a data breach of over 200 central and state government departments that publically exposed individuals’ information online. The breach affected individuals who were issued an Aadhaar number, which is the country’s national ID system, and compromised names, addresses, Aadhaar numbers, and other details. The UIDAI did not specify the number of affected individuals and has since secured the information.
http://www.ibtimes.co.uk/aadhaar-data-leak-more-200-indian-government-websites-expose-citizens-key-personal-details-1647982

What can employers do with regard to background checks and inquiries in Finland?
Criminal records: In the majority of cases, a private sector employer is not permitted to receive an candidate’s or employee’s criminal record information directly or indirectly, unless it is expressly regulated by law. The law contains derogation with regard to, for example, people who work with children on a permanent and substantial basis. General security clearances (including criminal record checks) are performed by the Finnish Security Police. The reason for this is that the checks are permitted only when they would help to prevent certain criminal offences. Prior written consent from the candidate or the employee is required before the employer can request security clearance. In practice, only private sector positions in which the employees are directly financially responsible for the employer’s property or which for some other reason require considerable trust from the employer may require security clearance. This would most likely cover most executive positions.

Medical history: The employer’s right to background checks related to the employee’s medical history is limited. As a general rule, the employer has the right to process information concerning the employee’s state of health only if such information has been collected from the employee himself or herself, or elsewhere with the employee’s written consent, and the information must be processed:

• in order to pay sick pay or other comparable health-related benefits;
• to establish whether there is a justifiable reason for absence; or
• if the employee expressly wishes his or her working capacity to be assessed on the basis of information concerning his or her state of health.

Information concerning the employee’s state of health may only be processed by people who prepare, make or implement decisions concerning employment relationships on the basis of such information. The employer shall nominate such people or specify the tasks that involve the processing of health-related information. The employer must store any information in its possession concerning the employee’s state of health separately from any other personal data that it has collected.

Drug screening: The employer may process only information on drug screening which is contained in a specific drug test certificate supplied to the employer by the candidate. The employer must notify the candidate in advance that the nature of the job is such that the employer requires drug screening from candidates. Drug screening is not allowed in all jobs. Screening is permitted only if performing the work while under the influence of or when addicted to drugs could endanger business or trade secrets or cause significant financial loss to the employer or its clients, and provided that this could not be prevented by other means. The employer may also request a drug test certificate if the candidate is to carry out tasks where special trust is required or where there is independent and uncontrolled access to drugs or a quantity of medicines that could be used for the purposes of intoxication. In addition, requiring a drug test certificate can be requested if the candidate is to carry out tasks that include teaching or caring for a minor.

Credit checks: Credit checks can be carried out, but only if the statutory criteria for such checks are fulfilled in each individual case. Typically, credit checks may apply to jobs where employees are directly financially responsible for the employer’s property or which for some other reason require considerable trust from the employer. This covers most executive positions.

Immigration status: The employer is generally obliged to request information on foreign employees’ immigration status, or a reason why no employee residence permit is not required.

Social media: In general, an employee’s personal data should be collected from the employee him or herself, or from elsewhere with the employee’s written consent. Accordingly, the employer has no right to perform background checks based on the employee’s social media activity.

Other: During recruitment employers may use information about job candidates that is in the public domain. However, this can be done only with the candidate’s prior consent. Further, the information requested and received must be directly necessary for the employment relationship.
https://www.lexology.com/library/detail.aspx?g=b03caa90-2830-4194-a967-6cceaa561e7e&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-01&utm_term

What can employers do with regard to background checks and inquiries in India?
Criminal records: While it is possible to conduct criminal background checks, this is extremely difficult in practice because criminal records are not digitized and are not consolidated nationwide. Accordingly, where a criminal background check must be carried out, this is typically done at the police station with jurisdiction over the employee’s current place of residence or anywhere that he or she has lived for a reasonable period.

Medical history: Employees’ medical histories cannot be accessed easily, since these are not digitized and there is no repository of medical records. Employee consent is required to disclose medical records to the employer. However, some employers require employees to undergo medical checks and have the diagnostic center send the report directly to the employer. Subject to certain specific restrictions (e.g., pre-employment testing for HIV is not permitted), there is no prohibition against this practice under Indian law.

Drug screening: Indian law does not prohibit drug screening.

Credit checks: An individual is entitled to obtain information on his or her credit rating. The employer can also access this information, with the employee’s permission and on providing necessary proof of identity. Access to credit rating information is more common in banks and financial institutions.

Immigration status: Indian law does not specifically require an employer to check the immigration status of a foreigner. Indian law does not prevent the employer from checking whether a foreign employee holds the necessary visa to work in India. If a foreign individual on an employment visa wishes to change employment to another company, he or she must leave India and apply afresh for a visa. The only exception is where the foreigner is changing jobs between a registered holding company and its subsidiaries or vice versa, or between subsidiaries of a registered holding company. In such case the foreigner may not need to leave India, provided that he or she fulfills specific criteria, including obtaining prior government approval for the change in employment.

Social media: There is no bar against conducting background checks through social media.

Other: The most common background checks undertaken are of educational qualifications. The employee must consent to this and the employer (or an outsourced provider) will then write to the relevant institution requesting confirmation. The institution may charge a fee for providing this information. Most institutions have a procedure in place in this regard.
https://www.lexology.com/library/detail.aspx?g=fa2fb547-5828-419a-bd3b-4ef01b612643&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-27&utm_term

What can employers do with regard to background checks and inquiries in Indonesia?
Criminal records: Employers may require prospective or existing employees to obtain a statement of good behavior (surat keterangan catatan kepolisian or SKCKS) from the local district office of the Indonesian National Police. An SKCK is a letter issued by, or on behalf of, the chief of police in the district in which an individual is domiciled confirming that the individual named in the letter is of good behavior and not presently involved in any criminal investigation or proceedings. This statement is based on the information provided by the head of the village or sub-regency where the individual lives, and a review of the local criminal record. An SKCK does not indicate whether an individual has a criminal record, but rather confirms that the individual is not currently involved in criminal proceedings within that specific district only. Centralized/national criminal records are not available.

Medical history: An employer can require a potential employee to undergo a physical examination as a condition of employment. It is important that all potential employees be subject to the same conditions. The potential employee should give his or her written consent to both the examination and the release of the results to the employer. The employer can also require that prior medical records be made available to the employer, on a non-discretionary basis and with the potential employee’s written consent.

Drug screening: The test can be carried out, but only in limited circumstances—for instance, where working under the influence of drugs or alcohol could give rise to health and safety considerations (e.g., where employees drive or operate machinery) or serious damage to the employer’s business. The candidate would need to consent to the test. Drug and alcohol testing should be carried out during employment only if justified, necessary and proportionate, and with the consent of the employee.

Credit checks: Information of this kind is seldom used in the recruitment process in Indonesia. However, Bank Indonesia produces comprehensive individual credit history reports, which are issued only upon the request of both financial institutions and the individual that the information concerns, as this information is considered confidential.

Immigration status: A local employer in Indonesia that wants to employ a foreign national must arrange for a work permit for the foreign national. ‘Work permit’ in this context involves an array of registrations and approvals. Foreign nationals may come into Indonesia under business visas to do business-related activities on behalf of their overseas employer, such as participating in meetings, and for investment purposes.
Social media: There is no prohibition on verifying information provided on public websites, such as news sources, Google searches or social network site searches. The only information that can be collected and retained by employers is information that can be accessed or obtained publicly, not private information.

Other: Employers in Indonesia frequently carry out background checks on candidates. Indonesian employment laws do not expressly regulate background checks. Certain background checks are in practice subject to the consent of the candidate.
https://www.lexology.com/library/detail.aspx?g=14719cf4-5733-467b-b5c8-9c9fb59a48e5&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-28&utm_term

What can employers do with regard to background checks and inquiries in Japan?
Criminal records: Employers cannot directly access criminal records. They can ask employees to provide extracts of any criminal records (a cumbersome procedure), but this is unusual.

Medical history: Employers can inquire about an candidate’s medical history, provided that any inquiry is consistent with the purpose of the interview. In addition, the Labor Safety and Health Law—which promotes the prevention of worker illness and injury—provides that medical examinations may be performed during initial hire and at least yearly.

Drug screening: Drug screening is possible (depending on the nature of the job), but is unusual.

Credit checks: Credit checks are not customary, as they are not considered directly relevant.

Immigration status: The immigration status of all foreign employees must be checked, as it is a criminal offence to employ someone who is subject to immigration control without the appropriate permission to work in Japan.

Social media: Employers can check social media accounts in order to check references, past convictions or any trouble with the law.

Other: As it is extremely difficult to dismiss employees in Japan, the freedoms surrounding the pre-hiring and pre-screening process are broad. That said, certain background checks are prohibited (e.g., checking whether a prospective employee belongs to the burakumin community).

What can employers do with regard to background checks and inquiries in Italy?
Criminal records: Criminal record checks may be carried out by public employers or for specific positions (e.g., security guards or bank employees). Only the employee can request his or her criminal record from the authorities.

Medical history: Checks on medical history are not permitted. However, for specific roles an employer can carry out a medical examination before hiring in order to ascertain that the employee can perform his or her duties.

Drug screening: Drug screening is not permitted.

Credit checks: Credit checks are not permitted.

Immigration status: Yes, a company must check immigration status before hiring a foreign employee in order to prevent the hiring of illegal immigrants.

Social media: No specific regulation applies to social media checks.

Other: The general rule is set out in Article 8 of the Workers Statute, which prohibits an employer from carrying out investigations before hiring (e.g., into relationships, religious views, opinions and any other facts which are irrelevant to professional qualifications).
https://www.lexology.com/library/detail.aspx?g=96d99c29-b751-417b-8e66-589868c11574&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-01&utm_term

What can employers do with regard to background checks and inquiries in Romania?
Criminal records: According to Article 10 of Law 677/2001 on the protection of individuals regarding personal data processing (which transposes Directive 95/46/EC), the processing of personal data regarding criminal convictions may be made only by or under the supervision of the relevant public authorities within the powers granted to them by law. By law, criminal conviction registers may be held only by the relevant authority within the Ministry of Interior and can be accessed only by the concerned person or, under certain conditions, by other public authorities. Accordingly, employers may not access the criminal conviction registers. However, they should be entitled to request that the relevant employee or candidate provide an excerpt of his or her criminal record if the employer has a legitimate interest in checking that there is no criminal penalty forbidding an employee from holding the relevant position. Processing such information should be made in full compliance with data privacy requirements. For instance, except where expressly required by law (e.g., there is a legal obligation for certain categories of employee to present a criminal record before engaging in an employment relationship), the processing should be notified to the data privacy authority, which must carry out an inspection. Under Law 677/2001, employers cannot carry out any other type of processing pertaining to criminal convictions unless the relevant data:

• is manifestly made public by the concerned person; or
• is closely connected to the official status of the concerned person or the public nature of the acts.

Medical history: A medical document attesting the employee’s capacity to perform work must be presented before engaging in an employment relationship. However, such document does not contain a detailed medical history and grants the employer no right to further investigate the potential employee’s medical condition. No other legal provisions allow such further investigations. Nonetheless, with the employee’s consent the employer may be given access to his or her medical history. All medical data should be processed in accordance with data privacy legislation. For instance, unless the processing is required by law (e.g., as in the case of the medical document presented on commencement of employment or as required to observe health and safety obligations), the data must be notified to the data privacy authority for inspection.

Drug screening: Romanian labor law makes no reference to drug screening. However, this may be deemed to be medical data and processed accordingly (see above).

Credit checks: Romanian labor law makes no reference to credit checks. However, since credit information amounts to personal data and since it could be claimed that the employer has a legitimate interest in performing such check, the processing of credit-related data could most likely be done only with the employee’s consent. In addition, the processing of credit-related information should observe all other relevant requirements under data privacy legislation.

Immigration status: Romanian labor law makes no reference to credit checks. However, since credit information amounts to personal data and since it could be claimed that the employer has a legitimate interest in performing such check, the processing of credit-related data could most likely be done only with the employee’s consent. In addition, the processing of credit-related information should observe all other relevant requirements under data privacy legislation.

Social media: Romanian labor law makes no reference to social media screening. However, where social media information can be deemed as lawfully obtained from publicly available sources, an employer could, in principle, process this without the employee’s consent provided that private data protection legislation is observed. For certain categories of data, additional conditions (e.g., that the data subject made public the information himself or herself) may have to be fulfilled.

Other: Romanian labor law makes no reference to other types of screening. However, where the screening information can be deemed as lawfully obtained from publicly available sources, an employer could, in principle, process this without the employee’s consent provided that private data protection legislation is observed. For certain categories of data, additional conditions (e.g., that the data subject made public the information himself or herself) may have to be fulfilled.

What can employers do with regard to background checks and inquiries in Singapore?
Criminal records: Employers cannot undertake a criminal record check on employees, but they can require employees to:

• provide an up-to-date criminal record report from the Register of Criminal Records, which is operated by the Singapore Police Force; or
• obtain a certificate of clearance from the police.

The latter can only be obtained by Singaporean citizens or overseas nationals who have legally resided in Singapore for at least six continuous months. Alternatively, employers can ask their employees to sign a self-declaration that they have a clean criminal record. If an individual has no (or only a spent) conviction, he or she can declare that fact. However, if the question concerns whether the individual has ever been convicted of a criminal offence, he or she must answer in the affirmative even if the conviction is spent.

Medical history: Employers can make undergoing a medical examination to assess whether a prospective employee is fit for the job an employment condition. Foreign workers in specific industries must attend a medical examination within two weeks of their arrival in Singapore. Medical records constitute personal data and must be obtained and handled under the Personal Data Protection Act.

Drug screening: There is no legislation preventing alcohol and drug testing at work in Singapore. Best practice is for employers to include a requirement in employment contracts that employees be prepared to undergo alcohol and drugs testing if:

• their jobs carry a health and safety risk to themselves or others; or
• the employer has reasonable grounds to suspect that an employee is under the influence of alcohol or non-prescription drugs at work.

Most employers tend to use external testing agencies or have test samples sent to the Health Sciences Authority for analysis.

Credit checks: Employers can obtain credit reports on employees, although in practice this is done only for senior managers, executives or individuals employed in certain regulated roles where they have access to the employer’s assets or deal with financial matters, such as financial investment advisers or insurance agents. Only the Credit Bureau Singapore and the DP Credit Bureau are recognized by the Singapore Monetary Authority as competent to compile credit reports.

Immigration status: Work permits for foreign employees are generally sponsored by their employers. Therefore, in practice, employers are aware of the immigration status of their employees and their eligibility to work in Singapore. However, it is common for employers to request proof from employees confirming their eligibility to work legally in Singapore and that they inform their employer of any change in their eligibility status.

Social media: Employers are free to screen their employees’ internet profiles and social media activity, provided that such material is publicly available. Although material from social media and the Internet constitutes personal data, it is exempt under the Personal Data Protection Act if it is already publicly available.

Other: Employers are free to conduct additional background checks, including:

• identity verification;
• curriculum vitae checks; and
• reference checks.

However, such checks must be done within the limitations imposed by the Personal Data Protection Act.

Miscellaneous

Is medical marijuana really medicinal?
Despite the dearth of approved marijuana products, the term “medical marijuana” has become commonplace, and the term’s prevalence continues to increase as more states legalize the use of the marijuana plant and its active derivatives for medical purposes, and marijuana dispensaries continue to expand throughout the United States. As of 2017, 29 states and the District of Columbia have approved the use of marijuana for medical purposes. (Despite state laws legalizing marijuana for medical and/or recreational use, marijuana remains a Schedule I controlled substance its distribution and use remain illegal under Federal law.) Studies on the potential of the marijuana plant or its extracts continue to expand and include, among others, treating pain, preventing seizures, and treating autoimmune disorders such as Crohn’s disease. However, despite assertions of efficacy, the U.S. Food and Drug Administration (FDA) has not recognized or approved the marijuana plant as a medicine, and to date, the FDA has only approved three products—Marinol® and Syndrox®, which include the active ingredient, dronabinol, a synthetic delta-9-tetrahydrocannabinol (“THC”), to treat nausea associated with chemotherapy and loss of appetite in AIDS patients; and Cesamet®, which includes the active ingredient, nabilone, a synthetically derived compound with a structure similar to THC, to treat nausea and vomiting associated with chemotherapy. These drugs are available by prescription only. The FDA, an agency within the U.S. Department of Health and Human Services, is responsible for assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use and medical devices. Before a drug can be tested in people, a drug company or sponsor performs laboratory and animal tests to discover how the drug works and whether it’s likely to be safe and work well in humans. Drug companies seeking to commercialize a drug in the United States must provide the FDA with appropriate scientific evidence from clinical tests to prove a drug is safe and effective for its intended use. A team of physicians, statisticians, chemists, pharmacologists, and other scientists at FDA reviews the company’s data and proposed labeling. If the independent and unbiased review establishes that a drug’s health benefits outweigh its known risks, the drug may be approved for sale. (https://www.fda.gov/Drugs/DevelopmentApprovalProcess/)

According to Section 321(g)(1)(B) of the Federal Food, Drug, and Cosmetic Act: The term “drug” means…(B) articles intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease in man or other animals; and (C) articles (other than food) intended to affect the structure or any function of the body of man or other animals; and (D) articles intended for use as a component of any article specified in clause (A), (B), or (C). A food or dietary supplement…is not a drug solely because the label or the labeling contains such a claim. A food, dietary ingredient, or dietary supplement for which a truthful and not misleading statement is made…is not a drug under clause (C) solely because the label or the labeling contains such a statement. A drug is misbranded if the drug fails to bear adequate directions for its intended use(s). (See 21 U.S.C. § 352(f)(1)) “Adequate directions for use” means directions under which a layperson can use a drug safely and for the purposes for which it is intended. (See 21 C.F.R. § 201.5) Prescription drugs can only be used safely at the direction, and under the supervision, of a licensed practitioner. (See 21 U.S.C. § 353(b)(1)(A)) As part of the FDA’s efforts to protect consumers from health fraud, the FDA from time to time issues warning letters to companies, for example, companies that are illegally selling products that claim to prevent, diagnose, treat, or cure a disease or disorder without scientific evidence to support these claims. Selling these unapproved products with unsubstantiated therapeutic claims is a violation of the Federal Food, Drug and Cosmetic Act. The FDA has grown increasingly concerned at the proliferation of “medical marijuana” companies claiming their products treat or cure serious diseases like cancer. On November 1, 2017, the FDA issued warning letters to four companies—Greenroads Health, Natural Alchemist, That’s Natural! Marketing and Consulting, and Stanley Brothers Social Enterprises LLC—citing unsubstantiated claims related to more than 25 different products spanning multiple product webpages, online stores and social media websites. According to the FDA’s warning letters, the companies made unfounded claims about their products’ ability to limit, treat or cure cancer and other serious diseases.

Examples of claims made by these companies include:

• “Combats tumor and cancer cells;”
• “CBD makes cancer cells commit ‘suicide’ without killing other cells;”
• “CBD … [has] anti-proliferative properties that inhibit cell division and growth in certain types of cancer, not allowing the tumor to grow;” and
• “Non-psychoactive cannabinoids like CBD (cannabidiol) may be effective in treating tumors from cancer—including breast cancer.”

Unlike drugs approved by the FDA, the manufacture of the products identified in the recent warning letters has not been subject to FDA review as part of the drug approval process, and there has been no FDA evaluation of whether they work, what the proper dosage is, how they could interact with other drugs, or whether they have dangerous side effects or other safety concerns. The FDA has requested responses from the companies stating how the violations will be corrected. Failure to correct the violations promptly may result in legal action, including product seizure and injunction. While marketing in the marijuana industry is a necessary business objective similar to mainstream businesses, medical marijuana companies must be sure to adhere to appropriate FDA guidelines in describing applications of their products and not overreach in asserting efficacy to treat or prevent illness.
https://www.lexology.com/library/detail.aspx?g=8bec30d4-f3f4-4104-b19f-8aa969cd4d2a&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-11-10&utm_term

TransUnion Acquisition of FactorTrust
On November 14th, TransUnion announced that it acquired alternative credit data provider, FactorTrust. TransUnion reports that the acquisition will allow the Company to add small dollar lending data to its consumer reporting databases to help credit invisible consumers and to help lenders comply with the CFPB’s payday lending rule.
https://newsroom.transunion.com/transunion-expands-credit-access-to-more-americans–with-acquisition-of-factortrust/

CSA Code of Conduct for GDPR Compliance
On November 21st, the Cloud Security Alliance (CSA) released the “CSA Code of Conduct for GDPR Compliance,” which provides guidance for cloud service providers and other stakeholders to comply with the EU’s General Data Protection Regulation (GDPR). The guidance is intended to outline the application of the GDPR in the cloud environment in various categories, including the processing of personal data, data breach notification to regulators and affected individuals, and cross-border data flows.
https://gdpr.cloudsecurityalliance.org/resource/csa-code-of-conduct-for-gdpr-compliance/