FTC Gives Final Approval to Settlements with Four Companies Related to EU-U.S. Privacy Shield
The Federal Trade Commission has given final approval to settlements with four companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework. In separate complaints, the FTC alleged that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The FTC alleged that IDmission applied for Privacy Shield certification but never took the necessary steps to complete its certification under the program. The company claimed on its website, however, that it complied with the EU-U.S. Privacy Shield framework. According to the FTC complaints, SmartStart, VenPath, and mResource each certified to the Privacy Shield in 2016 but allowed their certifications to lapse. Despite this, all three companies continued to claim that they participated in the Privacy Shield program. The FTC further alleges that VenPath and SmartStart failed to abide by the Privacy Shield requirement that companies that stop participation in the Privacy Shield affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
As part of the proposed settlements with the FTC, all four companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, VenPath and SmartStart must continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order. After receiving no comments, the Commission voted 4-0-1 to give final approval to the settlements with the four companies.
New Orleans City Council Passes Ban the Box Ordinance
On October 18th, the New Orleans City Council passed a Ban the Box ordinance that prohibits the city and contractors from asking job candidates about their criminal history on initial job applications, which will take effect on March 1st, 2019. The city passed a similar ordinance in 2014 for classified and unclassified jobs in certain city positions, and the proposed ordinance extends this to “all entities with a city contract, grant, or cooperative endeavor agreement.” New Orleans still plans to “conduct criminal background checks on all candidates and make final hiring decisions for people with records in light of other relevant information, including experience, the seriousness of any past conviction, when the incident took place and what has occurred in the candidate’s life since then.”
Reported in Arnall Golden Gregory November 6, 2018, Daily Privacy and Consumer Regulatory Alert
N.C. – Duke’s Move to ‘Ban the Box’ Follows Trend Established by Other Universities, States
By “banning the box”—and therefore no longer requiring candidates to disclose their criminal records when initially applying—Duke follows a number of similar policies adopted at other colleges. The move came after other university systems such as the State University of New York system and the University of California system banned the box for all job candidates in September 2016 and July 2017, respectively. Louisiana and Maryland have also instituted statewide bans disallowing colleges from asking about crimes during the application process, and the Common Application is set to follow suit for next year’s college application season. The policy does not completely remove criminal records from being considered in the hiring process, said Philip Cook, ITT/Sanford professor of public policy. He explained that the “ban the box reform allows candidates with a [criminal] record to have a better chance of making it to the second round of the review process” where they may otherwise get routinely screened out. However, background checks will still be conducted at the offer stage for finalist job candidates at Duke. The city of Durham in 2011 and Durham County in 2012 banned the box for public employment and independent contractors. As of 2014, people with criminal records hired by the city of Durham had increased nearly sevenfold, and those hired by Durham County tripled. Since Duke is the leading employer in Durham County, Cook noted that this policy is a step in the right direction and would be an impactful move for local Durham residents who have a criminal record. As of 2018, more than 150 cities and counties and 33 states have adopted Ban the Box legislation, with 11 of the 33 states also removing the box from private employer applications, according to the National Employment Law Project. Although North Carolina has no statewide ban the box policy, several cities and counties including Asheville, Buncombe, Carrboro, Charlotte, Cumberland County, Durham, Durham County, Forsyth, Mecklenburg, Spring Lake, Wake County, Wilmington and Winston-Salem have banned the box for government and public employment candidates. “Employers are impacted by not only federal, but state and municipal requirements,” Cavanaugh wrote. “Several of our peers have been impacted by more local requirements.”
Medical Marijuana in Missouri: New Law Brings New Questions for Employers
Missouri voters approved Amendment 2 on Election Day 2018, one of the three medical marijuana measures appearing on the state’s ballot. Amendment 2 adds an article to the Missouri Constitution legalizing medical use of marijuana for qualifying patients and allowing people who qualify to grow their own plants. With a new law comes new questions about how this development will affect workplaces across the state.
What is Amendment 2?
Amendment 2 makes Missouri one of the 33 states in the country that have legalized marijuana to some degree. Amendment 2 does not change federal law, which continues to classify marijuana illegal under the Controlled Substances Act, even if it is used for medical reasons.
Under the new Missouri law, qualified patients who have approval from their physician will receive identification cards from the Missouri Department of Health and Senior Services that will allow them and their registered caregivers to grow up to six marijuana plants and purchase at least four ounces of cannabis from dispensaries on a monthly basis.
Do I have to let my employees work while high?
No. Missouri employers may continue to enforce their drug-free workplace policies prohibiting employees from working under the influence of marijuana even after the new law takes effect. In fact, employers will be pleased with the express language in Amendment 2 which provides a safety net for employers. The new law specifically prohibits employees from filing claims against Missouri businesses for wrongful discharge, discrimination, or similar causes of action based on the employer prohibiting the employee from being under the influence of marijuana while at work or disciplining the employee for working or attempting to work while under the influence of marijuana.
Can employees consume marijuana at work?
No. The express language of the amendment also prohibits public use of marijuana.
Can I still drug test candidates and employees?
Yes. The new law does not prevent you from drug testing potential or current employees. If you have a drug testing policy and practice, you should continue to follow that policy and enforce your disciplinary policies as you would no matter what kind of illegal drug shows up in the individual’s system.
If you employ individuals in safety-sensitive positions or other jobs that require drug testing under federal or state guidelines, you will almost certainly want to continue your current drug testing practices. In some cases, you may be required to do so under federal law, such as the Department of Transportation (DOT) regulations. In other cases, you will want to do so in order to avoid the risk of having one of your employees cause an accident involving members of the public, co-workers, or simply themselves, which could lead to devastating consequences and employer liability.
In fact, the Missouri law specifically states, “nothing in [the law] permits a person to operate, navigate, or be in actual physical control of any dangerous device or motor vehicle, aircraft or motorboat while under the influence of marijuana.”
Is medical marijuana use a reasonable accommodation in Missouri?
It’s too soon to tell. Amendment 2 does not address this issue and we cannot predict how a Missouri court would rule in cases involving reasonable accommodations for qualified patients using medical marijuana. Although the answer is left open to debate, employers will need to explore “what-if” scenarios.
When will the new law take effect?
The election results still need to be certified by the Secretary of State’s office before the law will become official, which is expected to take place on or around December 6. The Missouri Department of Health will then be tasked with developing regulations to implement the law, which needs to complete the process by June 2019. At that point, however, additional administrative requirements might mean that another six months might pass before the first prescriptions can be issued. In other words, you might not see your first candidate or employee with a valid medical marijuana card until late 2019 or even early 2020.
Chicago Park District Releases Report on Background Screening Policies
On November 15th, the Chicago Park District’s Inspector General released a report that found that the district failed to follow its background screening policies by failing to consistently screen volunteers. The report recommended that the park district “initiate a top-to-bottom evaluation of its volunteer program and enact policies that ensure the prompt and complete processing and tracking of all volunteers.” An average of 30 percent of active volunteers did not undergo a background check and many volunteers were never screened. The review also found that volunteers were only screened for criminal convictions in Illinois. As a result of the report, the Chicago Park District “is currently working on implementing automated volunteer management, instituting more comprehensive background checks and updating its policies and ability to track compliance.”
Reported in Arnall Golden Gregory Daily Privacy & Consumer Regulatory Alert Dated November 20, 2018
Immunity from Lawsuits Under the FCRA
On October 11th, the U.S. District Court for the District of Columbia ruled that states are immune from lawsuits under the Fair Credit Reporting Act (FCRA) in Pendergrass v. Washington Metropolitan Area Transit Authority (WMATA). Plaintiff Galen Pendergrass alleged that WMATA’s criminal background check policy was discriminatory after his job offer was rescinded following a background check that found a conviction for a nonviolent offense. Pendergrass claimed that WMATA’s policy had a “disparate impact” on African-American candidates due to their historically higher rate of criminal convictions. The case was dismissed because the court held that WMATA’s hiring policies are governmental decisions that are immune from lawsuits and decisions concerning the hiring of WMATA employees are “immune from judicial review.” The court also held that neither the governments that chartered WMATA nor Congress abrogated immunity to FCRA claims. The case is Pendergrass v. Washington Metropolitan Area Transit Authority, Civil Action No. 18-622, in the U.S. District Court for the District of Columbia.
Reported in Arnall Golden Gregory November 6, 2018, Daily Privacy and Consumer Regulatory Alert
Stanford University Facing New FCRA Class Action
Stanford University is facing a new FCRA class action with, potentially, over a thousand class members. And it’s not the first time Stanford has faced these claims. According to the class action complaint in Richards v. Leland Stanford Junior University et al., Theresa Richard applied and was hired to work as a dining hall worker at Stanford University. During the application process, Ms. Richard completed Stanford’s standard application form, which permitted Stanford to obtain a consumer report on the Ms. Richard’s background. The clause in question provided:
I authorize a thorough investigation of my prior employment, education background, criminal record and, where applicable to a position, credit check and/or driving record. I agree to cooperate in such an investigation, to execute any consent forms required in connection with those investigations, and release form [sic] all liability and responsibility all persons or entities requesting or supplying such information. I understand that employment is conditional based on investigation results.
Ms. Richard’s class action complaint alleges that Stanford both failed to make a proper disclosure and failed to get proper authorization under the Fair Credit Reporting Act. Specifically, Ms. Richard cites to 15 U.S.C. § 1681b(b)(2)(A)(i) and (ii), which provides:
Except as provided in subparagraph (B), a person may not procure a consumer report, or cause a consumer report to be procured, for employment purposes with respect to any consumer, unless—
- a clear and conspicuous disclosure has been made in writing to the consumer at any time before the report is procured or caused to be procured, in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes;
- the consumer has authorized in writing (which authorization may be made on the document referred to in clause (i)) the procurement of the report by that person.
15 U.S.C. § 1681b(b)(2)(A)(i). The complaint seeks statutory damages of up to $1,000 per violation, punitive damages, attorney’s fees and costs. Stanford’s exposure here may be significant: Ms. Richard’s claims assert potentially thousands of violations of the Fair Credit Reporting Act and more than one thousand class members.
Notably, this isn’t the first time that Stanford has faced FCRA claims for the disclosures in their application forms. In 2015, Stanford faced precisely the same claims from another employee.
In Lagos v. Leland Stanford Junior Univ., the plaintiff brought a class action complaint, asserting the same FCRA claims as Ms. Richards. Lagos survived a motion to dismiss in that case. No. 5:15-CV-04524-PSG, 2015 WL 7878129, at *2 (N.D. Cal. Dec. 4, 2015).
Court Grants Final Approval of $1.2M FCRA Class Action Settlement Against Petco
On November 16, the United States District Court for the Southern District of California granted final approval of a $1.2 million Fair Credit Reporting Act class action settlement against Petco Animal Supplies, Inc. A putative class action was filed against Petco in June 2016, challenging the company’s form of disclosure for employment background checks. The complaint alleged that the background check disclosure was “hidden” among other pages of “fine print” and did not constitute the “stand alone” disclosure required by law. After more than two years of litigation, including discovery and motions practice, the parties reached a class settlement.
The key terms of the settlement are as follows:
- Total Settlement Fund: $1.2 million
- Settlement Class Definition: “All persons regarding whom Defendant procured or caused to be procured a consumer report for employment purposes during the period from May 1, 2014 through December 31, 2015. Included in the Settlement Class is a subclass consisting of those against whom Petco took an adverse action subsequent to procuring a consumer report and did not receive a pre-adverse action notification letter.”
- Settlement Class Sizes: The Disclosure Class consists of 37,279 class members. The Adverse Action Subclass consists of 52 class members.
- Settlement Class Member Benefits: Members of the Disclosure Class will receive approximately $20 each. Members of the Adverse Action Subclass will receive an additional $150 each, for a total settlement of approximately $170 each.
- Attorneys’ Fees: $300,000.
- Total Incentive Award for the Two Named Plaintiffs: $10,000.
New Data Breach Reporting Requirements Under PIPEDA Come Into Force This Week
Businesses have new obligations under breach of security safeguards rules coming into force this week, says the Canadian Federal Privacy Commissioner. Changes to Canada’s federal private sector privacy law will require organizations to report certain breaches of security safeguards to the Commissioner’s office and to notify those affected. The Office of the Privacy Commissioner of Canada has published guidance to help businesses comply with the new requirements as well as a new reporting form.
Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act, which come into force November 1, organizations must:
- Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
- Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
- Keep records of all breaches of security safeguards that affect the personal information under their control; and
- Keep those records for two years.
Privacy International Files GDPR Complaints Against Companies
Privacy International (“PI”) has filed complaints against seven companies including Experian, Equifax and Oracle for alleged contravention of the GDPR. The rights group is hoping to highlight what it believes is illegal use of customer data, particularly for profiling purposes. It’s part of a wider campaign designed to make it easier for consumers to demand companies delete their data under the new legislation. The complaints—based on 50 Data Subject Access Requests and information gathered from the companies’ privacy policies and marketing material—also target data broker Acxiom, and ad-tech firms Criteo, Quantcast and Tapad. According to PI, the company’s practices have breached the GDPR principles of transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy. The firms also allegedly have no legal basis for using data in the way they do, a key requirement of the GDPR. PI claims that neither consent nor legitimate interest are applicable in these cases, and there’s no basis for processing sensitive data. Specifically, PI claimed that they failed to demonstrate consent was “freely given, specific, informed, and unambiguous,” and in the case of legitimate interest they have twisted the meaning to fit their own interests without considering the impact on individuals’ rights, PI. The GDPR sets clear limits on the abuse of personal data. PI’s complaints set out why they consider these companies’ practices are failing to meet the standard.
The U.S. Virgin Islands Joins the Ban the Box Movement
On November 10, 2018, the U.S. Virgin Islands joined the “ban-the-box” movement by enacting legislation regulating employers’ use of the criminal records of candidates and employees. Currently, 32 states and over 150 localities have enacted such laws for public employers; approximately 12 states and 17 localities have extended such laws to private-sector employers, and some jurisdictions have extended such laws to government contractors. The Virgin Islands law, Act No. 8134:
- prohibits employers from asking an candidate to disclose any information concerning: (i) an arrest or detention that did not result in a conviction; (ii) “a referral to, or participation in, any pretrial or post trial diversion program”; or (iii) “a conviction that has been judicially dismissed or ordered sealed pursuant to law.”
- prohibits employers from seeking any of these categories of information from another source.
- prohibits employers from considering any such information when making decisions about hiring, promotion, termination, or selection for any training program resulting in hiring.
- permits candidates affected by a violation of the law to recover the greater of $200 or actual damages, plus costs and attorneys’ fees.
- subjects employers that violate the law to a criminal fine of up to $500 or imprisonment of up to six months.
The law applies to public and private employers of all sizes, except if:
- “state or federal law requires the candidate to be rejected based upon criminal history”;
- the job position requires a satisfactory criminal background;
- a conviction of one or more specified offenses would disqualify the candidate from obtaining a standard bond that is required of individuals hired for the position; and
- “the employment is within a facility that provides programs, services, or direct care to minors or vulnerable adults including the educational system or child care.”
In addition to these general exceptions, the law does not prohibit an employer at a health facility, as that term is elsewhere defined under Virgin Islands law, from asking candidates for positions with regular access to patients or with access to drugs and medications to disclose arrests for violations of certain territorial laws. The law also does not cover individuals seeking employment or employed as peace officers, or candidates for positions in the Virgin Islands Department of Justice or other criminal justice agencies.
Comparison With Other State and Federal Laws
The Virgin Islands prohibition relating to arrest records is generally consistent with U.S. Equal Employment Opportunity Commission (EEOC) Enforcement Guidance No. 915.002, which adopts the position that an arrest record, by itself, is not job related and consistent with business necessity. However, whereas the EEOC Guidance provides that an employer may inquire into the conduct underlying the arrest to determine an candidate’s fitness for a particular position, the Virgin Islands law prohibits employers from inquiring into “information concerning” an arrest, which appears to include the conduct underlying the arrest. In this respect, the Virgin Islands law seemingly is stricter than the federal guidance. The Virgin Islands law is also more restrictive than ban-the-box laws in many jurisdictions because it extends beyond the hiring process and includes promotions, selections for training programs, and decisions that affect any other conditions of employment. On the other hand, unlike the laws in other states and localities that regulate the timing of employer inquiries about convictions, the Virgin Islands law does not prohibit or otherwise regulate inquiries about convictions that have not been ordered sealed or judicially dismissed. Therefore, in accordance with federal law and guidance, employers in the U.S. Virgin Islands may inquire about criminal convictions of record when such inquiries are job related and consistent with business necessity, taking into account the nature and gravity of the offense, the time passed since the offense, and the nature of the job held or sought. Thereafter, and before taking adverse action, the EEOC guidance advises employers that rely upon such targeted screening inquiries to provide an opportunity for an individualized assessment by notifying the candidate or employee that the employer is considering taking adverse action, providing the individual an opportunity to demonstrate that the conviction should not be disqualifying and then considering whether any additional information supplied justifies an exception to the employer’s policy.
CNIL Warns Vectaury to Properly Obtain User Consent
France’s data protection authority, the CNIL, informed Vectaury Nov. 9 it needs to gather consent for its data-processing practices. Vectaury collects personal data through mobile devices to perform ad campaigns on the devices. A CNIL investigation found the company does not properly obtain consent. The agency determined users are not automatically informed when an app is downloaded that an SDK tool takes their location data. While Vectaury claims it processes data with users’ consent, the CNIL determined it was not collected until their data was used to build an ad profile. The president of the CNIL has given Vectaury three months to fix their consent practices or face a potential fine.
Privacy & What is Reasonable? OPC Inappropriate Data Practices Guidelines are Now Being Applied
In May, the Office of the Privacy Commissioner of Canada (the “OPC”) introduced Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) (the “Inappropriate Data Practices Guidelines”). The Guidelines interpret Subsection 5(3) of PIPEDA:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Applying this subsection requires a balancing of interests between the individual and the organization, and this analysis should be viewed through the eyes of a reasonable person. The OPC is of the opinion that the following purposes for collection, use or disclosure of personal information would generally be considered “inappropriate” by a reasonable person and therefore are currently considered to be offside PIPEDA.
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law. Data analytics or other profiling/categorization that could lead to discrimination contrary to human rights law would not be considered “appropriate”. Unfair or unethical results will require a case-by-case assessment; however, the OPC is of the view that these types of results will also generally be found to be inappropriate.
- Collection, use, or disclosure for purposes that are known or likely to cause significant harm to the individual. Individuals typically understand that the digital marketplace is filled with privacy trade-offs; however, it is not appropriate for organizations to require an individual to undergo significant privacy harm as a known or probable cost for products or services. Significant harm means “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one’s) credit record and damage to or loss of property”.
- Publishing personal information with the intended purposes of charging individuals for its removal. “Blackmail” is not an appropriate purpose and this has previously been declared as offside to PIPEDA (see OPC investigation of Globe24h).
- Requiring passwords to social media accounts for the purpose of employee screening. Requiring passwords in order to access private social media accounts may expose highly sensitive personal information that are neither relevant nor necessary for the employers’ legitimate business purposes. As a result, requiring passwords to social media accounts for the purposes of employee screening is generally not appropriate.
- Surveillance by an organization through audio or video functionality of the individual’s own device. Generally speaking, organizations cannot track an individual through audio or video functionality of an individual’s device, either covertly or with consent in instances where doing so is grossly disproportionate to the business objectives. It may be permissible for the audio or video functionality to be turned on in order to provide a service if the individual is fully aware and in control and the captured information is not recorded, used, disclosed or retained except for the purpose of providing the service.
- Collection, use, or disclosure that is otherwise unlawful. Organizations should know all regulatory and legislative requirements that may govern their activities. Individuals should feel safe knowing the collection, use or disclosure of their personal information will not be done for purposes that contravene the laws of Canada or its provinces. This is supported by PIPEDA Principle 4 which requires collection to be “by fair and lawful means”.
It is important that businesses be familiar with the Guidelines, as the OPC began applying them in July.
If a company in the United States uses a service provider that is located in Europe, does it risk subjecting itself to the GDPR?
The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive—and complex—data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR. The GDPR applies to companies that process data “in the context of the activities of an establishment…in the Union.” Although the regulation does not offer a precise definition of what it means to be an “establishment,” the recitals to the regulation state that an establishment “implies the effective and real exercise of activity through stable arrangements.” This language has led many American companies to be concerned that using a service provider in Europe might be viewed as a “stable arrangement” that brings American companies, inadvertently, within the jurisdiction of the GDPR. The European Data Protection Board has addressed this concern by stating that it “deems that a processor in the EU should not be considered to be an establishment of a data controller…merely by virtue of its status as processor.” As a result, an American company “will not become subject to the GDPR simply because it chooses to use a processor in the [European] Union.” Although American companies are not infected with the GDPR simply because they send their data to European processors, it is important to note that European service providers are, themselves, subject to the GDPR when handling the American data. The net result is that while an American company may not need to comply with the GDPR, its European provider is independently “required to comply with the obligations imposed on processors by the GDPR.”
Draft GDPR Territorial Scope Guidelines Released
The European Data Protection Board (EDPB) has released draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) for public consultation and is welcoming comments until January 18, 2019. These guidelines have been long awaited by Canadian-based companies that, while having no physical presence in the EU, have been struggling to determine whether they are subject to the GDPR anyway by virtue of Article 3(2), which extends the application of the GDPR to controllers and processors not established in the Union but that (a) offer goods or services to EU data subjects or (b) monitor their behavior which takes place in the EU. In relation to Article 3(2), the guidelines recommend a two-fold approach:
- determine whether the processing relates to personal data of data subjects who are in the EU, and
- determine whether the processing relates to the offering of goods or services or to the monitoring of data subjects’ behavior in the EU.
Data Subjects in the EU
In determining whether data subjects are in the EU, the guidelines highlight the following:
- “While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2)…the nationality or legal status of a data subject who is in the Union cannot limit or restrict the territorial scope of the GDPR.” (In other words, the GDPR will apply if a data subject is in the EU, regardless of nationality or legal status.);
- “The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behavior is being monitored, regardless of the duration of the offer made or monitoring undertaken.”;
- “[T]he fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behavior…must always be present in addition.” [emphasis added]; and
- “[T]he processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the Union.”
Offering of Goods or Services to EU Data Subjects
In determining whether goods and services are being offered to EU data subjects, the guidelines list factors that could inter alia be taken into consideration, possibly in combination with one another:
- The EU or at least one Member State is designated by name with reference to the good or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states; and
- The data controller offers the delivery of goods in EU Member States.
The guidelines go on to state that “[s]everal of the elements listed above, if taken alone may not amount to a clear indication of the intention of a data controller to offer goods or services to data subjects in the Union, however, they should each be taken into account in any in concreto analysis in order to determine whether the combination of factors relating to the data controller’s commercial activities can together be considered as an offer of goods or services directed at data subjects in the Union.” Finally, in relation to the offering of goods or services to EU data subjects, the guidelines emphasize that: “It is however important to recall that Recital 23 confirms that the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the controller or processor’s intention to offer goods or a services to a data subject located in the Union.”
Monitoring of EU Data Subjects’ Behavior
As for monitoring the behavior of EU data subjects that takes place in the EU, the guidelines state that: “The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data.” The guidelines identify the following activities as examples of “monitoring”:
- Behavioral advertisement;
- Geo-localization activities, in particular for marketing purposes;
- Personalized diet and health analytics services online;
- Market surveys and other behavioral studies based on individual profiles; and
- Monitoring or regular reporting on an individual’s health status.
In addition to clarifying the scope of application of Article 3(2), the guidelines also describe the meaning of the “establishment” criterion within the meaning of Article 3(1) and offer further clarity on situations where a controller is not established in the EU but is in a place where Member State law applies by virtue of public international law, and therefore is subject to GDPR by virtue of Article 3(3).
No Double-Dipping Under FCRA
In an oldie but goodie, an FTC blog from February 2017 warns employers who rely on credit checks not to double-dip. In other words, if an employer requests a consumer report for one purpose, the employer should not then use the report for another purpose. The FTC explains that, when an employer receives a consumer report from a CRA, it must certify to the CRA the purpose for which the report will be used, and the report should only be used for that purpose. The FTC provides two examples: “if you get a report for a membership determination, you can’t then use it to make a credit decision. Or if you get a report to determine eligibility for a government benefit, you can’t then give it to a different government agency to make another eligibility determination.” The importance, according to the FTC? Transparency. Consumers cannot accurately track how their credit information is being used when a single credit report is used for multiple purposes.
Port Authority Won’t Ask About Criminal History in Initial Job Applications
Port Authority has joined many government agencies across the country that have quit asking potential hires, on their initial application, whether they have a criminal record. Port Authority spokesman Adam Brandolph said the agency eliminated the box about a criminal record from its standard job application Nov. 14. The agency has about 2,600 employees and fills about 250 positions each year. Pittsburgh and Allegheny County took the question off their job applications more than four years ago. Port Authority also eliminated a question about an candidate’s previous salary, Mr. Brandolph said. The agency often used that information as a base, offering a candidate 5 percent more than the listed salary if the person was someone the authority wanted to hire. Mr. Brandolph said that question was eliminated because the agency thought that some groups, such as women, had previously been discriminated against and unfairly received lower salaries, meaning such discrimination would be perpetuated with just a 5 percent raise. Now, the agency sets a salary for the job regardless of an candidate’s salary history.