CDC Modifies Guidance For Critical Infrastructure Employers
The CDC continues to issue updated guidance on how to maintain a safe workplace during the pandemic. On November 16, 2020, the CDC modified its guidance for “critical infrastructure” employers on whether they can permit asymptomatic workers to continue to work after exposure to an individual with a suspected or confirmed case of COVID-19. Since the onset of the pandemic, the CDC has recommended and many, if not all, localities have required, that employees exposed to someone with COVID-19 must remain away from work (i.e., self-quarantine) for 14 days from the exposure. Some employers of “critical infrastructure workers,” however, have had a partial exemption to the self-quarantine requirement.
Under the critical infrastructure worker exemption, employees who have been exposed to the virus can continue to work, provided the worker remains asymptomatic and employers implement the following mitigation precautions:
- Encourage employees to screen for symptoms prior to reporting to work.
- Symptom screen employees, including temperature checks, upon their arrival at work.
- Regularly monitor employees for symptoms while at work.
- Require employees to wear face coverings while at work.
- As job duties permit, require employees to maintain social distance while at work.
- Routinely clean and disinfect the areas accessed by employees.
Under the CDC’s modified guidance, the above rules still apply, but they now carry a strong warning. Since COVID-19 can be spread by pre-symptomatic and asymptomatic individuals, and there has been a huge surge in transmission throughout the United States, the clarified CDC guidance now states:
Employers may consider allowing exposed and asymptomatic critical infrastructure workers to continue to work in select instances when it is necessary to preserve the function of critical infrastructure workplaces. This option should be used as a last resort and only in limited circumstances, such as when cessation of operation of a facility may cause serious harm or danger to public health or safety.
According to the CDC, 14-day self-quarantine “is still the safest approach to limit the spread of COVID-19 and reduce the chance of an outbreak among the workforce.” Permitting potentially exposed employees to continue to work “carries considerable risk to other workers because many people with COVID-19 are asymptomatic but can still spread disease, and tests are imperfect,” the CDC said, emphasizing that use of exposed workers “should not be the first or most appropriate option” to ensure continued critical work.
Since continued use of workers exposed to the virus is an option of last resort, the CDC provided these suggestions for how employers can avoid utilizing this option:
- Identify and prioritize job functions essential for continuous operation.
- Cross train employees to ensure that multiple employees can perform critical functions even if key employees are absent.
- Reevaluate job functions to match critical functions among other equally skilled and available workers.
The CDC also recommended that employers work “with state, tribal, local, and territorial public health officials in managing the continuation of work in a way that best protects the health of their workers and the general public.” This recommendation falls in line with states, like California, that have instructed critical infrastructure employers to contact local health departments to determine if exposed asymptomatic workers can continue to work.
Importantly, the modified guidance focuses on harm to public health and safety. Potentially exposed/asymptomatic workers should continue to work only if the loss of their workplace contributions would result in “serious harm or danger to public health or safety.” Serious harm to a business’s ability to continue to operate is not, by itself, adequate justification.
With this modified guidance, the CDC has put the business community on notice that the critical infrastructure exemption applies only to businesses involved in or impacting public health and safety. Employers should closely review the U.S. Department of Homeland Security’s Critical Infrastructure Security Agency website to determine whether they fall within a qualifying critical sector definition and which of their employees are considered critical. Employers looking to operate under this exemption should also make sure they are aware of any state or local requirements and/or recommendations that may differ from the CDC guidance and comply with any additional or differing provisions. In light of the nuanced and changing rules that may apply, critical employers should consider consulting with counsel to ensure compliance.
What Employers Need To Know About The Long-Awaited EEOC Religious Discrimination Update
The Equal Employment Opportunity Commission (EEOC) revised its Compliance Manual on Religious Discrimination for the first time in 12 years, and employers should take note.
The updates were guided by Supreme Court decisions handed down since the manual’s last update. The proposed manual:
- Expands the definition of a “religious organization” so that it does not rule out for-profit entities or those engaged in secular activities. The updated manual removes the EEOC’s four-factor test to decide if an organization is a religious organization. Instead, it looks to “all the facts.” However, the manual does not answer the question of whether a for-profit corporation can be a religious corporation.
- Expands the ministerial exception in the wake of two Supreme Court decisions. In both cases, the court ruled that this exception is not limited to clergy members or those who “minister.” Under the updated manual and precedent, this exception extends to those the religious organization selects to “personify its beliefs,” “shape its faith and mission,” or “minister to the faithful.” This could include teachers, musicians, kosher food inspectors and other employees.
- Clarifies that an employer may not refuse to hire people because the employer presumes they will request a reasonable accommodation, regardless of whether they tell the employer they need one. For example, an employer cannot refuse to hire someone just because the employer assumes there will be a conflict between an applicant’s headscarf and the company’s “look policy.”
- Clarifies that when an employer claims an employment decision was based on religion, any inquiry into the basis for the decision must be limited to whether the reason for the decision was sincere.
- Gives examples of when an employee’s religious beliefs on hot-topic issues like birth control, abortion or LGBTQ rights might conflict with employer requirements.
The proposed manual is open for public comment until Dec. 17.
Voters Approve The California Privacy Rights Act
Less than one year after the California Consumer Privacy Act (“CCPA”) became effective, on November 3, 2020, California voters approved the California Privacy Rights Act (“CPRA”), a consumer privacy ballot initiative that amends and expands the CCPA. The CPRA affords California residents significantly more control over their personal information, imposes heightened compliance obligations on covered businesses, and establishes a new enforcement agency dedicated to consumer privacy. The CPRA’s substantive provisions become effective January 1, 2023, and new regulations are expected to be introduced by July 1, 2022. Of specific relevant to the background screening industry:
SEC. 15, Section 1798.145 of the Civil Code is amended to read: 1798,145. Exemptions
(d) (1) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report, as defined by subdivision (d) of Section 1681 a of title 15 of the United States Code and use of that information is limited by the deferral Fair Credit reporting Act (15U.S.C, Sec. 1681 et seq.) activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or made of living by a consumer reporting agency, as defined in subdivision (f) of Section 168a of Title 15 of the United States Code, by a furnisher of Information, as set forth In Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.
(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed or sold except as authorized by the Fair Credit Reporting Act.
For more information on the Act and its exception, click on
4 States Vote To Legalize Recreational Marijuana Use: Arizona, Montana, NJ, South Dakota
On election day, four more states, Arizona, Montana, New Jersey, and South Dakota, voted to legalize the recreational use of marijuana. These four states will join the 11 states that already permit such recreational use: Alaska, California, Colorado, Illinois, Maine, Massachusetts, Michigan, Nevada, Oregon, Vermont, and Washington. In all four states, a majority of voters have opted “yes” for ballot propositions that will legalize the possession and use of marijuana for people who are 21 years and older.
NJ Legalizes Recreational Cannabis – What It Means For Employers Is Not Entirely Clear, Yet
Legalized adult recreational use of cannabis is coming to New Jersey. On November 3, 2020, New Jersey voters approved a ballot measure to amend the New Jersey Constitution to, among other things, make lawful the personal, nonmedical use of cannabis for individuals age 21 and over. Effective January 1, 2021, the amendment provides that regulatory authority will be given to the Cannabis Regulatory Commission, which already oversees medical marijuana, but that the commission’s authority must be authorized by “law enacted by the Legislature.”
The New Jersey legislature is working quickly to pass this enabling legislation, known as the “New Jersey Cannabis Regulatory, Enforcement Assistance, and Marketplace Modernization Act” (NJCREAMMA) (S21/A21). The legislature is also working to pass a separate law that would decriminalize possession and distribution of small amounts of marijuana, among other things (S2535/A-1897/A-4269, referred to here as the decriminalization bill). The decriminalization bill is necessary, in part, because individuals still face arrest between now and January 1, 2021 and the constitutional amendment does not legalize recreational cannabis use for individuals under the age of 21.
Both the New Jersey Senate Judiciary Committee and the Assembly Oversight, Reform and Federal Relations Committee approved NJCREAMMA on November 9. On Thursday, November 12, lawmakers will hold further committee hearings on NJCREAMMA and expect the legislation could pass the full Senate and Assembly by November 16. If enacted as currently written, NJCREAMMA and the decriminalization bill will have important implications for New Jersey employers. These proposed laws, however, are still moving through the legislative process, subject to change, and likely will have to be reconciled to iron out inconsistencies.
Employment Provisions of NJCREAMMA
NJCREAMMA would prohibit employers from taking adverse employment action against employees or applicants based on their cannabis use (or non-use). Specifically, the bill provides that:
No employer shall refuse to hire or employ any person or shall discharge from employment or take any adverse action against any employee with respect to compensation, terms, conditions, or other privileges of employment because that person does or does not smoke, vape, aerosolize or otherwise use cannabis items, unless the employer has a rational basis for doing so which is reasonably related to the employment, including the responsibilities of the employee or prospective employee.
The bill does not contain an express private right of action for violations of this provision. That silence likely will lead to litigation regarding whether an implied right of action exists under the three-part test adopted in R. J. Gaydos Ins. Agency v. Nat’l Consumer Ins. Co., 168 N.J. 255, 271 (2001): “To determine if a statute confers an implied private right of action, courts consider whether: (1) plaintiff is a member of the class for whose special benefit the statute was enacted; (2) there is any evidence that the Legislature intended to create a private right of action under the statute; and (3) it is consistent with the underlying purposes of the legislative scheme to infer the existence of such a remedy.”
The bill also does not define “rational basis” or otherwise provide guidance on how to apply that standard. Notably, however, it appears that NJCREAMMA borrowed its standard from the nondiscrimination provision of New Jersey’s Smoke-Free Air Act. Thus, if courts determine that an implied private right of action exists, they may look to case law interpreting the rational basis standard in the Smoke-Free Air Act for guidance. See Still v. Bd. of Review, 2012 WL 2035802, at *6 (N.J. Super. Ct. App. Div. June 7, 2012) (no-smoking in company vehicle policy was rationally based). This silence will breed litigation. For example, while employers still may prohibit the use of cannabis items while working, the question remains, for example, whether workplace safety considerations would be considered a “rational basis” for adverse actions based on cannabis use outside of work and, if so, under what circumstances? And, of course, the fundamental question of how to determine if/when an employee is under the influence of cannabis (or medical marijuana) at or during work remains.
NJCREAMMA, however, would permit employers to keep or establish drug and alcohol-free workplaces and employers would not have to permit or accommodate cannabis use in the workplace or during work hours. Specifically, the proposed law states that nothing in it:
Requires an employer to amend or repeal, or affect, restrict or preempt the rights and obligations of employers to maintain a drug and alcohol free workplace or require an employer to permit or accommodate the use, consumption, being under the influence, possession, transfer, display, transportation, sale, or growth of cannabis or cannabis items in the workplace, or to affect the ability of employers to have policies prohibiting cannabis use or intoxication by employees during work hours.
Relatedly, private property owners—which would seemingly include landlords for leased office, warehouse, and retail spaces—may also generally prohibit the “consumption, use, display, transfer, distribution, sale, or transportation of cannabis items on or in that property.”
Employment Aspects of the Decriminalization Bill
Under this proposed law, employers cannot consider when making an employment decision, require an applicant to disclose or reveal, or take any adverse employment action against an applicant for employment based on an arrest, charge, conviction, adjudication of delinquency, civil penalty, or community service for certain marijuana-related offenses. The bill exempts, however, situations where the employment sought or being considered is for a position in law enforcement, corrections, the judiciary, homeland security, or emergency management.
Employers who violate this provision would be subject to civil penalties collectible by the Commissioner of the New Jersey Division of Labor and Workforce Development: up to $1,000 for the first violation, $5,000 for the second violation, and $10,000 for each violation after that.
These civil penalties are the sole remedy for violations of this provision. The law specifically provides that nothing in this nondiscrimination provision is to be construed as creating a private cause of action against employers who violate it, that it does not establish a standard of care or duty for employers regarding any other law, and that evidence that employers have violated this provision is not admissible in any legal proceeding other than one to enforce the civil penalties. That said, we expect that there still could be litigation regarding whether a termination for off-duty marijuana use (instead of an off-duty arrest or conviction for such use) might provide the basis for a common law wrongful discharge claim under the New Jersey Supreme Court’s decision in Pierce v. Ortho Pharm. Corp., 84 N.J. 58 (1980). But sound arguments are available that no such claim should be allowed to proceed given that the bill’s language creates an alternative enforcement apparatus where the Division of Labor and Workforce Development enforces this provision and can impose penalties.
In a separate provision, the decriminalization bill creates a private cause of action for those who allege discrimination in “public or private housing, real property, or a place of public accommodation,” based on a prior arrest, charge, conviction, adjudication of delinquency, civil penalty, or community service related to certain marijuana-related offenses. While seemingly unconnected to employment, the provision provides that, if the discrimination in public or private housing, real property, or a place of public accommodation “impacted the person’s employment,” a court may order, among other relief, reinstatement of employment, reinstatement of benefits and seniority rights, and compensation for lost wages, benefits, and other remuneration. It is unclear how these employment-related remedies would work in practice, particularly in light of the bill’s separate civil penalties provision described above applicable to employers. For example, is an individual who is unlawfully denied housing because of a prior conviction and, as a consequent effect loses their job, entitled to seek reinstatement of employment even if the employer was uninvolved in the housing discrimination? Would the employer be a party to such a proceeding? Further legislative developments may shed light on whether this was a drafting error or whether there is some other meaning that is not readily apparent.
Recommendations for Employers
While there could be, and likely will be, changes made during the legislative process, New Jersey employers will want to start considering taking the following steps when the finalized laws take effect:
- Update policies to ensure compliance with the nondiscrimination portions of the proposed laws
- Determine whether bans on employee or applicant recreational cannabis use are permissible under the proposed laws, applying the rational basis standard to each job position, and update drug-testing procedures accordingly
- Update drug-testing protocols with vendors
- Train managers and human resources employees on the proposed laws and ensure that they are aware of their nondiscrimination provisions, but also that employees are still prohibited from using, possessing, or being impaired by cannabis in the workplace or during work hours
- Train managers on the indicia of reasonable suspicion of employees under the influence of cannabis at work
- Consider researching the market for tests that provide an objective measure of impairment due to cannabis
Oregon Decriminalizes Hard Drug Possession
Oregon voters passed Measure 110 last week by a wide margin. The ballot measure reclassified possession of small amounts of a list of hard drugs as a Class E civil violation, similar to a traffic offense. A violator can avoid the associated $100 fine by agreeing to participate in a health assessment. Possession of larger quantities of drugs will still be criminal acts, most classified as misdemeanors. Selling and manufacturing drugs remain criminal. The state decriminalization provisions take effect on February 1, 2021. Of course, the hard drugs decriminalized in Oregon are still criminally enforceable by federal authorities under the federal Controlled Substances Act. The Oregon decriminalization follows similar efforts in some European countries who have addressed minor drug possession from a public health perspective, rather than criminal justice. Depending on changing societal attitudes towards drugs and the perceived success of the Oregon program, this new approach may be adopted by other states in the coming years. If state legalizations of recreational marijuana provide any guide, Oregon’s Measure 110 also may lead to increased positive drug tests and workplace impairments by hard drugs, at least in the short term. Employers may and should still prohibit the possession of and impairment by these drugs in the workplace. Anticipating laxer attitudes towards hard drugs in Oregon, employers would be wise to train managers on reasonable suspicion factors and retrain employees on workplace zero tolerance policies, particularly for employees in safety sensitive positions.
Montgomery County, MD Amends Ban-the-Box Legislation
On November 20, 2020, the Montgomery County, Maryland Council approved amendments to its 2014 “ban-the-box” legislation. The original legislation (Bill 36-14) prohibited employers with 15 or more full-time employees in Montgomery County from conducting a criminal background check of a job applicant, or otherwise inquiring about the criminal or arrest history of an applicant, prior to the completion of a first interview. Bill 35-20 expands the scope of the previous legislation by prohibiting background checks until after a conditional job offer has been extended, and redefining “employer” to include any employer with one or more full-time employees in Montgomery County.
The key changes to Montgomery County’s ban-the-box law are as follows:
- Timing of criminal record inquiry: Permitted only after a conditional offer of employment is extended to the applicant.
- Prohibited inquiries: Employers may not inquire into whether:
- The applicant has been arrested for a matter that did not result in a conviction;
- The applicant has a first conviction for trespass, disturbing the peace, or misdemeanor assault in the second degree; or
- The applicant has a misdemeanor conviction, if at least three years have passed since the date of conviction and the date that any period of incarceration for the misdemeanor ended.
- Definition of “employer”: The amendments redefine employer as “any person, individual, proprietorship, partnership, joint venture, corporation, limited liability company, trust, association, or other entity operating and doing business in the County that employs 1 or more persons full-time in the County. Employer includes the County government, but does not include the United States, any State, or any other local government.”
Other Maryland Jurisdictions
Notably, Bill 35-20 is more restrictive than Maryland’s statewide ban-the-box law, which took effect on February 29, 2020. The statewide legislation currently applies to employers with 15 or more full-time employees and permits an employer to inquire about criminal history during the first interview. Montgomery County is one of three jurisdictions in Maryland where the ban-the-box law is more restrictive than the state law, the other two being Prince George’s County and Baltimore City.
Prince George’s County’s ban-the-box regulation applies to employers with 25 full-time employees and prohibits inquiries into arrest or conviction records until after the first interview. In addition, covered employers in Prince George’s County must provide pre-adverse action and final adverse action notices to prospective employees when the employer intends to withdraw a conditional offer of employment based on the prospective employee’s criminal history.
Baltimore City’s ban-the-box ordinance prohibits employers from inquiring into a prospective employee’s criminal history until after the employer makes a conditional offer of employment. The ordinance applies to private employers with at least 10 full-time-equivalent employees in the City of Baltimore.
The new legislation goes into effect on February 19, 2021. In advance of the effective date, Montgomery County employers should remove questions about criminal history from their job applications if they have not done so already and revise their hiring procedures to delay any inquiry about criminal history until after a conditional job offer has been extended.
Dismissed Criminal Convictions In California
Imagine this: you are an employer in California, and you recently hired a new employee. You ran your own background check, which did not turn up any criminal convictions. However, the employee’s job duties include submitting online applications to a government agency, which requires the employee to complete a Live Scan background check with the Department of Justice. The Live Scan reveals that the employee has a past criminal conviction that will prevent her from submitting the applications. You terminate the employee, and she tells you the conviction was judicially dismissed. What do you do?
This somewhat unique scenario is the basis of Lilia Garcia-Brower v. Premier Automotive Imports of CA, LLC. What made the scenario even more interesting was the basis for the employee’s conviction. In 2010, just four years before she applied to work at Premier Automotive Imports, the employee was convicted of grand theft for embezzling $2,600 from her prior employer, which, like her new employer, was a car dealership. The employee paid restitution, completed 15 days of community service, and served three years of probation, then filed a successful motion to have her conviction dismissed pursuant to Penal Code section 1203.4.
The employer decided to terminate the employee for stealing from a prior employer, and the employer did not change its mind when the employee explained that the conviction had been judicially dismissed. The background report that turned up the conviction was later corrected to show that the conviction had been judicially dismissed (which would allow the employee to perform the duties of the job), but by then the employee was already terminated.
The employee filed a complaint with the Labor Commissioner alleging she had been retaliated against for exercising her right, under Labor Code section 432.7, to not disclose a dismissed criminal conviction. Over the next several years of legal proceedings, the case boiled down to one central question: did the employer know the conviction had been dismissed when it made the decision to terminate the employee? In the latest ruling, the Court of Appeals found that the employee had presented enough evidence for this question to go to a jury.
This fact pattern raises an important question. While consideration of criminal convictions that have been judicially dismissed could create legal liability, can an employer take into account the reasons behind an employee’s prior termination without violating section 432.7, when the employee was terminated for conduct that could be criminal, like stealing? The answer should be yes. Section 432.7 gives an employee the right not to disclose a prior conviction that has been judicially dismissed, but it does not shield an employee from disclosing whether he or she has been terminated from a prior job or the reasons for that termination. The reasons for termination and the conviction should be viewed as two separate things—the employee was terminated for stealing, not because she was convicted of a crime. Employees who have not committed crimes can be required to disclose the reasons for their prior terminations, and it would not make sense for employees to be exempt from such disclosures when their terminations are due to criminal conduct.
The fact pattern also illustrates how California’s lesser-known prior conviction laws can impact California businesses. Employers would do well to familiarize themselves with prior conviction laws before making employment decisions based on those convictions.
A Voluntary Transfer Is Not An Adverse Employment Action
The U.S. Court of Appeals for the Fourth Circuit affirmed the rather obvious point (although apparently not to the employee) that when an employee voluntarily requests—and the employer agrees—to a transfer, the employee has not experienced an adverse employment action for purposes of the Americans with Disabilities Act. In Laird v. Fairfax County, Virginia, an employee with multiple sclerosis was initially granted generous accommodations that eventually proved to be unworkable. The employee filed a charge of discrimination with the Equal Employment Opportunity Commission, which was resolved by granting her request for a lateral transfer. Finding the new job not to her satisfaction, she then sued her employer for “demoting” her. The Fourth Circuit, however, stated that her claim “fails for a simple reason: If an employee voluntarily requests a transfer, and the employer agrees to it, there is no actionable adverse action.” It cited to a sister Circuit in further asserting, “a transfer cannot be ‘because of a disability’ if it occurred as the result of an employee’s own request.”
The Fourth Circuit Rules Employers Are Not Required To Reassign Employees As An ADA Accommodation
On November 18, 2020, the Fourth Circuit upheld a summary judgment award in favor of Lowe’s Home Centers LLC (Lowe’s), holding that it did not violate the Americans with Disabilities Act (ADA) when a disabled, long-term employee was removed from his senior role and passed over for two similar vacant positions. The Court’s decision contradicts Guidance from the U.S. Equal Employment Opportunity Commission (EEOC), as stated in the agency’s amicus brief filed on behalf of the employee.
The Americans with Disabilities Act
The ADA states that “no covered entity shall discriminate against a qualified individual on the basis of disability in regard to job application procedures, the hiring, advancement, or discharge of employees…” 42 U.S.C. § 12112(a). A “qualified individual” is entitled to protection under the ADA if they are able to “perform the essential functions of the employment position” “with or without reasonable accommodation.” 42 U.S.C. § 12111(8). The ADA requires employers to provide “reasonable accommodations” to “qualified individuals,” which may include “job restructuring, part-time or modified work schedules, [and] reassignment to a vacant position.” 42 U.S.C. § 12111(9)(B).
Elledge v. Lowe’s
Elledge, a long-term employee of Lowe’s, filed suit for violation of the ADA, alleging Lowes (1) forced him out of his position despite being able to perform the essential functions of his job with reasonable accommodations and (2) refused to reassign him to another vacant director-level position. The district court granted summary judgment to Lowe’s, and Elledge appealed.
Elledge was a Market Director of Stores for nearly 10 years, overseeing a dozen stores. His job required him to walk the stores and drive to and from the stores. Elledge had knee problems and eventually underwent a series of knee surgeries. His condition led to difficulty traveling to and from the stores he oversaw, and Elledge’s doctor restricted his walking and working hours. Lowe’s abided by these restrictions and offered Elledge a motorized scooter to assist with store visits—which Elledge declined. Instead, Elledge arranged for subordinates to drive him to the different locations and did not adhere to the light-work accommodation. When Elledge’s restrictions became permanent, Lowe’s concluded Elledge could not remain in his current position and discussed other potential career opportunities at Lowe’s. Elledge refused the lower paying job presented and applied to two vacant director-level positions for which Lowe’s selected other employees. Elledge accepted a severance package and early retirement.
The EEOC’s Amicus Brief Argued the District Court Got it Wrong
The EEOC filed an amicus brief arguing the district court “misunderstood” and “ignored the plain language of the ADA” in concluding that the competitive hiring policy Lowe’s has for the vacant positions “effectively trumps the ADA duty to reassign” a qualified, disabled employee to a vacant equivalent position. Specifically, the EEOC argued that “reassignment” as a potential statutory accommodation does not mean “permission to compete for jobs with other employees.”
The Fourth Circuit Holding
The Fourth Circuit upheld the district court’s dismissal on summary judgment, rejecting the arguments of both Elledge and the EEOC.
With respect to the removal of Elledge from his original position, the Fourth Circuit found Elledge was, in fact, unable to perform the essential functions of his position even with reasonable accommodations, and thus, not a “qualified individual” under the ADA. In doing so, the Fourth Circuit reasoned that Elledge did not take advantage of the accommodations Lowe’s had provided but instead “created certain accommodations, rejected others, and pushed himself beyond the limits of his doctor’s orders.” The Fourth Circuit held that “[g]iven the essential functions of his job…no reasonable accommodation could…have sufficed.” Importantly, in so doing, the Court confirmed (i) that the employer’s determination as to what is an essential function merits “considerable deference”; and (ii) that, to the extent there is a variety of accommodation measures available, the employer—exercising “sound judgment”—has the “ultimate discretion” over which of these alternatives to employ.
With respect to the obligation of Lowe’s to reassign Elledge as an accommodation under the ADA, the Fourth Circuit rejected the notion that the United States Supreme Court case, U.S. Airways v. Barnett, required Lowe’s to appoint Elledge to one of the vacant positions rather than permit him the opportunity to apply within its competitive process, assuming no other reasonable accommodation. Rather, the Fourth Circuit, citing Barnett, stated that the ADA “does not require employers to construct preferential accommodations that maximize workplace opportunities for their disabled employees. It…requires…that preferential treatment be extended as necessary to provide them with the same opportunities as their non-disabled colleagues.” And, because Lowe’s consistently employed a “best-qualified hiring system,” its merit-based approach was “disability neutral” because “[i]t invite[d], reward[ed], and protect[ed] the formation of settled expectations regarding hiring decisions.”
The Fourth Circuit’s decision sheds light on how far an employer must go in reasonably accommodating a disabled employee and recognizes that while employers must provide adequate reasonable accommodations, it need not change the essential functions of a job or require other employees to share in those tasks. In addition, where there is more than one accommodation that would address the issue, it is the employer who makes the determination as to which will apply. Where, as here, the employee rejects a reasonable accommodation the employer is under no obligation to present or adhere to another—including reassignment. And finally, to the extent “reassignment to a vacant position” is the only accommodation that would address the issue, the disabled employee is entitled to a “disability neutral” equal opportunity similar to that provided to their non-disabled employees.
Federal Court Allows FCRA Claims To Survive Motion To Dismiss
When a furnisher of credit information receives notice from a credit reporting agency (CRA) that a consumer has disputed the accuracy or completeness of information that the furnisher provided, the furnisher must investigate the dispute, review all relevant information it received from the CRA, and report the investigative results to the CRA. See 15 U.S.C. § 1681s-2(b). A consumer faces an exceedingly low bar to state a claim against a furnisher for a breach of this duty under the Fair Credit Reporting Act (“FCRA”), as illustrated by a Florida federal trial court’s November 6 ruling.
Earlier this year, the plaintiff in Harris obtained her credit report from two CRAs, which indicated that she had an “account in dispute.” The plaintiff then sent a letter to the CRAs, requesting that they remove the notation from her credit report, and the CRAs forwarded the plaintiff’s request to the furnisher of that information. The furnisher verified that the notation was accurate.
When the plaintiff obtained another credit report and noticed that it still indicated an “account in dispute,” however, the plaintiff filed suit against the CRAs and the furnisher, alleging in relevant part that the furnisher had negligently and willfully violated the FCRA by failing to properly investigate her dispute or review the letters she sent the CRAs. The plaintiff alleged injury due to damaged credit and emotional well-being.
The furnisher filed a motion to dismiss, on the ground that the complaint failed to state a claim against the furnisher under the FCRA, and that the plaintiff’s allegations regarding damages and causation were legally insufficient. To survive a motion to dismiss, a complaint must meet the standards set forth in Rule 8(a) of the Federal Rules of Civil Procedure, which requires merely “a short and plain statement of the claim showing that the [plaintiff] is entitled to relief” and “a demand for the relief sought.” Here, the U.S. District Court for the Middle District of Florida found that the plaintiff’s complaint met the Rule 8(a) standard, and therefore denied the furnisher’s motion.
In particular, the court noted that the plaintiff “explicitly allege[d] in her complaint” that:
- The furnisher “failed to conduct a proper investigation”;
- The furnisher “failed to review all relevant information available to it and provided by [third parties]”; and
- Plaintiff suffered harm to her credit and personal wellbeing as a result.
As such, “[n]othing more is required to survive a motion to dismiss,” the court held. Of course, whether the plaintiff’s claims have merit after surviving dismissal is a question for another day.
EU Data Protection Regulators Issue Critical Draft Guidance On Personal Data Transfers
US companies and other organizations whose activities involve the use of personal information from Europe were unsettled by the EU Court of Justice’s July 2020 Schrems II decision that cast doubt on the lawfulness of transferring personal data from the EU to the US. (Click here for a summary of that case.) The European Data Protection Board (EDPB) has now published its long-awaited guidance as to what it expects organizations to do to bolster protections for transfers of personal data. The new guidance imposes a very high burden on transferors and recipients of EU personal data. However, organizations may appreciate that the EDPB guidance does at least provide a pathway (no matter how onerous) for data transfers following the Schrems II decision. Furthermore, the EDPB has clarified that its guidance applies to all personal data transfers under Article 46, which includes binding corporate rules as well as the Standard Contractual Clauses (SCCs) and the various yet-to-be-implemented codes of conduct and certifications envisioned by the GDPR.
Schrems II and the EDPB’s guidance apply to all ex-EU personal data transfers, but the remainder of this article focuses on transfers to the US.
What is the problem we need to solve?
The main thrust of the Schrems II case was to question whether the US national intelligence agencies’ ability to require certain US entities to turn over personal data of people who are in Europe fatally undercuts the EU-approved data transfer mechanisms as a means of ensuring that European personal data is adequately protected when it is transferred to the US. The Court stopped short of an outright prohibition on all personal data transfers to the US, but nonetheless held that US national security powers and programs conflict with the fundamental rights of people in the EU (in part due to overly broad data collection) and do not provide adequate remedies for EU persons who suspect their fundamental rights have been violated. The Court suggested that unspecified additional protections might make such transfers acceptable. The EDPB’s new draft guidance provides a step-by-step framework for assessing the privacy risks of data transfers and describes additional protections that may be acceptable to EU regulators.
What is the end goal?
The objective of the assessment framework and additional protections proposed by the EDPB is to satisfy four “European Essential Guarantees”—principles that must be satisfied when personal data is processed in a way (such as for national security purposes) that conflicts with privacy rights:
- Processing should be based on clear, precise and accessible rules
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- An independent oversight mechanism should exist
- Effective remedies need to be available to the individual
The Schrems II decision effectively held that US national surveillance laws fail to satisfy the European Essential Guarantees. That means that US organizations need to adopt additional measures to make sure that the personal data they receive nonetheless will be treated in a way that is acceptable under European data protection standards.
How does the EDPB suggest organizations tackle a Schrems II analysis?
The EDPB guidance provides a list of steps organizations should take to assess whether proposed data transfers meet the European Essential Guarantees outlined above:
- Know your transfers. This is a fundamental GDPR requirement in any event. Organizations should know what personal data they are transferring and be able to show that the transfers meet all requirements of the GDPR, including data minimization.
- Verify your data transfer mechanism. Organizations must be able to identify which of the GDPR’s data transfer mechanisms is in use. Typically, this will be a Commission adequacy decision, the SCCs, or BCRs (binding corporate rules). Interestingly, the EDPB executive summary states that the Article 49 derogations (explicit consent, performance of a contract, important reasons of public interest, etc.) are available “[o]nly in some cases of occasional and non-repetitive transfers,” which is a blunter statement than previous EDPB guidance that acknowledged that the GDPR’s “occasional and non-repetitive” applied only to some of the derogations. This may be a further step by the EDPB to effectively eviscerate the Article 49 derogations.
- Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer mechanism, in the context of the specific transfer. This may be the heaviest lift for organizations. The EDPB advises that the “assessment should be primarily focused on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on and that may undermine its level of protection.” In other words, how does the legislation fare when assessed against the European Essential Guarantees? This will be the primary route of analysis for US organizations, since its national surveillance activities are governed by published legislation, including publicly available ancillary regulations and guidelines. Many US organizations will find that they are not directly subject to the FISA Section 702 administrative subpoenas (commonly referred to as “national security letters”) discussed extensively in Schrems II, but that their cloud service providers, e-mail hosts and potentially other service providers are. US organizations need to assess any resulting privacy risks throughout their data custody chain. The EDPB goes on to acknowledge that some countries conduct surveillance activities without a legal framework or with limited transparency and recommends some steps to take. US organizations are relatively fortunate in that they can easily access the US national security legislation that governs US surveillance programs, along with a substantial amount of publicly available information describing these programs and the internal controls designed to prevent their abuse.
- Identify and adopt supplementary measures as necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. The next section of this article discusses these measures.
- Take any formal procedural steps required by your data transfer mechanism to adopt your supplementary measures.
- Periodically re-evaluate and monitor the adequacy of your supplementary measures.
Recommendations for Additional Protections
The EDPB’s key recommendations for additional technical protections include:
- Robust encryption. However, encryption will only count as an additional protection if there is no legal obligation to provide the encryption key to a government authority. (This is a hot topic in many countries, not just the US.) Even though it is not a silver bullet, the EDPB guidelines, taken as a whole, are likely to make encryption a virtually mandatory standard tool for safeguarding EU personal data.
- Pseudonymization prior to transfer. Pseudonymization has the benefit of allowing multiple records to be associated with one individual, but without identifying the individual as such. It may be useful in certain cases—and worthless in others where it’s necessary to know who the person is in order to make proper use of the information. Furthermore, organizations need to consider carefully the risk that a specific person could be identified by looking at his or her pseudonymized data.
The EDPB’s key recommendations for additional procedural or contractual protections include:
- Due diligence and transparency commitments. The data importer would commit to doing a deep dive on its national surveillance laws and their potential impacts on the data transfer. The data importer would also commit to providing as much notice as legally permitted concerning any request from, or disclosures to, government authorities. Finally, the data importer would state the restrictions it may be under in making such disclosures. All of this could be packaged as a formal due diligence exercise that the data exporter and data importer would complete prior to initiating a data transfer.
- Contractual commitments as to the IT solutions in use. Specifically, the data importer would make representations with respect to the absence of back doors or other software features intentionally designed to allow a government authority to access data.
- Enhanced technical audit provisions. The data importer would agree to more specific technical audit provisions designed to allow the data exporter to satisfy itself that the data importer was not giving personal data to government authorities. (Presumably these audits would be done by qualified third parties, but it’s hard to imagine that many US companies would be willing to submit to a potentially unlimited number of audits by EU companies or to allow unfettered access to the companies’ IT security features.)
- Use of “warrant canaries”. A warrant canary is a digital sign that a company keeps visible only if it has not received a National Security Letter (or similar requirement outside of the US). This is rather obviously a potentially risky option for a company that is subject to a gag order or any other tipping-off restriction. It is not clear whether the EDPB’s guidance will renew interest in the use of warrant canaries.
- Contractual commitments to exercise legal avenues to resist disclosure requests and to give notice to the affected parties of the request. The data importer would agree to avail itself of any rights it has to resist the disclosure request and to notify the data exporter and data subjects.
The EDPB has additional recommendations, and it is well worth reading the draft guidance in full. The guidance comes in two documents: an analysis of the European Essential Guarantees and the recommended supplementary measures. Organizations are invited to submit comments on the draft guidance during the unusually short consultation period, which ends on November 30, 2020. Instructions for submitting comments can be found here.
Finally, it’s worth remembering that we are still awaiting the updated Standard Contractual Clauses promised by the EU authorities. The new SCCs are likely to incorporate at least some of the recommendations in the draft guidance for better protecting transferred personal data.
Proceed With Caution When Remotely Monitoring Employees In The EU
One effect of COVID-19 has been a sharp increase in businesses’ use of remote surveillance solutions to protect corporate resources and monitor the productivity and behavior of employees who will be working from anywhere but the office for the foreseeable future. Although such tools can provide valuable performance insights and mitigate data loss and other risks, they can also significantly increase a business’s legal risk. This is especially true for businesses with employees working in the EU, where employee privacy is typically protected to a much greater extent than in the United States. Indeed, the German subsidiary of international retailer H&M recently learned a €35.3 million (approximately $41 million) lesson about these legal risks after being fined by a supervisory authority in connection with a workforce monitoring program that “led to a particularly intensive encroachment on employees’ civil rights.”
Employers are permitted to monitor EU employees at work, as long as they comply with the laws and regulations of both the EU and individual Member States. This includes the EU’s General Data Protection Regulation (GDPR), which applies to any U.S. or multinational business that has employees in, or monitors the behaviors of, individuals in the EU.
Remote surveillance solutions increasingly offer sophisticated features that promise—among other things—to identify suspicious activity, detect potential insider threats, and provide real-time alerts about employee behaviors. But automated technologies that generate insights or conclusions about employees based on data collected from employer-monitored systems, networks, and connected endpoints can generate additional risk because the GDPR (as well as the laws of some individual Member States) provides protections for individuals subject to automated decision making and profiling.
Further, the use of employee surveillance solutions powered by Artificial Intelligence (AI) and Machine Learning (ML) technologies may trigger additional compliance requirements under the GDPR. We will explore those issues and others and offer risk mitigation strategies that employers should consider before monitoring employees in the EU.
Businesses That Monitor Employees in the EU Must Comply With the GDPR
Remote surveillance programs can generate large amounts of personal data about a business’s employees. Common features include individual keystroke logging, live recording or screenshots of application windows or device screens, and monitoring of activity on websites and applications.
All of these forms of data collection are subject to the GDPR, and businesses must be in compliance with the law when processing EU employees’ personal data in connection with remote electronic surveillance. (Note that “process” is defined broadly enough to capture essentially any operation performed on personal data.)
The GDPR specifically protects “natural persons, whatever their nationality of place of residence, in relation to the processing of their data,” when such natural persons are in the EU. Personal data is broadly defined, and includes any information relating to an individual who can be identified by reference to an identifier such as name, an identification number, location data, or an online identifier.
Unlike some U.S. laws (such as the CCPA), the GDPR does not include carve outs for personnel records or other employee-related information. This means that the GDPR protects personal data relating to an employee working from France or Germany, even if that same information would not be protected for an employee working in New York or California.
Lawfulness, fairness, and transparency are three key principles of the GDPR, which among other things requires that a business identify a lawful basis for processing their EU employees’ personal data, be transparent about how and why it is being processed, and refrain from using it in a way that is unduly detrimental, unexpected, or misleading to the individuals concerned, or is otherwise unlawful.
In assessing lawful basis, the principles of necessity and proportionality must also be considered: the processing of the employees’ personal data must be objectively necessary to achieve the stated purposes of conducting the remote surveillance, and it must not be possible to achieve those aims by the processing of less data or some other less intrusive means. In sum, employers’ interests in monitoring employees must always be deliberately, fairly, and transparently balanced against employees’ rights to data protection and privacy.
The importance of conducting this assessment was highlighted by the case of Bărbulescu, in which the European Court of Human Rights found that a Romanian company’s decision to fire a sales engineer for using a personal internet chat account on his work computer failed to strike a fair balance between the employee’s right to respect for his private life and correspondence and the employer’s right to take measures in order to ensure the smooth running of the company.
Because consent is rendered invalid by “[a]ny element of inappropriate pressure of influence” affecting the individual’s decision, the GDPR notes that consent can only be relied upon as the lawful basis for processing in the employer-employee context “in a few exceptional circumstances.” If an employer relies on “legitimate interest” as the lawful basis, it must also inform monitored employees of their right to object to the processing and establish straightforward methods for them to do so.
An employee who objects to the processing must provide specific reasons for doing so that are based on his or her particular circumstances. In order to continue processing, the employer must be able to demonstrate compelling legitimate grounds that override the objection. Essentially, this would require the employer to conduct a fact-specific balancing test of the employer’s legitimate interest in the processing against the employee’s grounds for objection.
Using AI- and ML-Powered Features May Trigger Additional Requirements
An increasing number of remote surveillance programs have harnessed the power of ML and AI to analyze collected data and derive insights about monitored employees. Examples include features that generate reports about employee productivity or that scan employee communications to detect and provide real-time alerts of potential data security or other company policy violations. To the extent that the information generated or analyzed by the program relates to an identified or identifiable employee, it constitutes personal data that is protected under the GDPR. More sophisticated AI- or ML-enabled employee monitoring programs may carry out automated decision making or profiling (the automated processing of personal data to evaluate certain aspects about an individual, including analyzing or predicting work performance) based on the data collected. If the automated decision making, which can include profiling, is conducted without any human involvement (called “solely automated decision making” in the GDPR), it may be subject to additional requirements under Article 22 of the GDPR.
Program features that automatically notify management about potentially malicious activity by an employee, or that calculate and assign a security risk score to an employee based on their network activity, are examples of solely automated decision-making processes that can trigger additional requirements.
If a program feature relies on solely automated decision making, the business should conduct a data protection impact assessment (DPIA) to determine whether or not its use may have a legal or similarly significant effect on the monitored employees. A decision that can jeopardize or adversely affect the terms of a monitored individual’s employment is very likely to be considered a significant effect. In that case, a business may not use the feature without the explicit consent of the monitored employees—the most common scenario—or unless (much less likely) it is necessary for the entry into or performance of a contract, or otherwise authorized under the EU or applicable Member State law.
Where solely automated decision making is permitted, businesses must also specifically provide the monitored employees with information about those processes, establish straightforward methods for them to request human intervention or challenge a decision, and regularly verify that the decision making feature is working as intended. If a large number of employees are being monitored, businesses should also consider appointing a Data Protection Officer who is qualified to oversee the program.
Additional Requirements Must Be Satisfied to Monitor Sensitive Personal Data
Additional requirements will apply if a business’s employee monitoring program collects or considers sensitive personal data, which sensitive personal data cannot be processed unless one of 10 exceptions are met. Since consent is often invalid in the employer-employee relationship, as noted above, businesses should seek to establish one of the other listed exceptions.
The categories afforded special protections under Article 9 of the GDPR include personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric identifiers, health information, or information concerning a person’s sex life or sexual orientation. Businesses should therefore carefully scrutinize their use of features that may result in the processing of this kind of data.
Any monitoring system that either (a) captures images or recordings of the employee or their home, or (b) tracks employees’ computer or network usage beyond their interaction with the employer’s own network (such as websites visits, etc.) are particularly likely to involve the processing—even if inadvertently—of sensitive personal data and should be deployed only after thorough review.
Risk Mitigation Strategies to Consider Before Monitoring EU Employees
Employers that engage in remote monitoring of employees in the EU can lessen their legal risks by taking one or more of the following steps:
- Perform a DPIA before launching any employee surveillance program, paying careful attention to the potential for acquiring and processing sensitive personal data, and the potential impacts of features that engage in automated decision making or profiling.
- Make certain that all processing of personal data by the surveillance program can and will be carried out in accordance with all the requirements of the GDPR. This may require certain features to be customized or disabled.
- Ensure that the program also complies with applicable country-specific privacy and labor requirements, which may be stricter than the GDPR.
- Verify that the program does not violate any existing union collective bargaining agreements or works council agreements that provide additional or stricter requirements than applicable laws or regulations, which are increasingly common for larger U.S.-based multinational companies operating throughout Europe.
- Obtain and document employees’ prior, informed consent to the monitoring while working remotely.
The legal implications of employee monitoring for a particular business will depend on the features of the surveillance program and how the tool is deployed. Because these factors will necessarily vary, businesses should be sure to understand how a remote employee surveillance solution works and develop a compliance strategy before it is launched in order to avoid increased risk—or potential violations—under the GDPR.
Canadian Data Privacy Laws Are Changing. Is Your Business Ready To Keep Up?
On November 17, 2020, Canada’s federal government introduced a bill to enact new legislation that would strengthen protections for individuals from privacy loss due to the failures and limitations of corporate consumer privacy measures. The proposed legislation, known as the Consumer Privacy Protection Act (“CPPA”), would be the first major overhaul of Canada’s privacy law rules on the private sector since the Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into force in April 2000.
If the CPPA passes into law, it will replace the PIPEDA, currently the leading federal privacy law governing federally-regulated corporations and private sector companies in Canadian provinces and territories that do not have their own privacy legislation. The bill to enact the proposed legislation, including the CPPA, is at first reading. The next step would be for it to go to second reading and then to a committee for further review and recommendation, before ultimately receiving royal assent and passing into law.
Key Changes Proposed to Canada’s Consumer Privacy Framework
The CPPA proposes several key changes to Canada’s corporate consumer privacy rules
- First, the CPPA imposes administrative penalties of up to 3% of global revenue or $10 million CAD for non-compliant organizations. In addition, the CPPA expands the range of privacy-related offences; penalties for certain offences under the CPPA subject non-compliant organizations to a maximum fine of 5% of global revenue or $25 million CAD.
- Second, the CPPA creates the Personal Information and Data Protection Tribunal (the “Tribunal”). The Tribunal is empowered to issue penalties and fines under the CPPA upon recommendations from the Office of the Privacy Commissioner of Canada (the “Commissioner”). The Tribunal will also adjudicate appeals from the Commissioner’s orders.
- Third, the CPPA broadens the order-making powers of the Commissioner. Under the CPPA, the Commissioner may order an organization to:
- Take measures to comply with the CPPA;
- Stop doing something that is in contravention of the CPPA;
- Comply with the terms of a compliance agreement that has been entered into by the organization; or
- Make public any measures taken or proposed to be taken to correct the policies, practices, or procedures that the organization has put in place to fulfil its obligations under the CPPA.
Furthermore, as mentioned above, the Commissioner may recommend that the Tribunal issue a fine or penalty on an organization for violating certain provisions in the CPPA.
- Fourth, the CPPA clarifies the rules for valid consent to data sharing. To obtain valid consent under the CPPA, an organization must provide individuals with certain information before the individual can consent to having his or her data collected. Specifically, the information that organizations must provide includes the purpose(s) of the collection, use, and disclosure, the “reasonably foreseeable consequences of the collection, use or disclosure,” the types of personal information involved, and the “names of any third parties or types of third parties to which the organization may disclose the personal information. ” Implied consent will be acceptable in certain circumstances, taking into account the individual’s reasonable expectations and the sensitivity of the personal information.
- Fifth, the CPPA enhances consumers’ control over the personal information organizations collect. Under the CPPA, individuals are allowed to request disposal of their personal information, and individuals are allowed to withdraw consent to the use of their information. Individuals will also be granted data mobility rights, namely the ability to transfer their personal information from one organization to another. However, it should be noted that in certain circumstances organizations will be allowed to use de-identified information without an individual’s consent. For example, the CPPA would allow organizations to disclose de-identified data to public entities in certain circumstances for “socially beneficial purposes.”
- Sixth, the CPPA introduces new transparency rules for “automated decision systems” (aka algorithms) organizations employ “to make predictions, recommendations or decisions about individuals that could have significant impacts on them.” The provisions provide individuals the right to request that organizations explain how a prediction, recommendation, or decision was made by an automated decision-making system and explain how the information was obtained.
If the CPPA passes into law, Canada would be following many other jurisdictions that have strengthened and updated their privacy laws in recent years, including the European Union.
In 2018, the European Union implemented the General Data Protection Regulation (the “GDPR”) to strengthen and modernize its corporate consumer privacy regulations. The rules and regulations contained in the GDPR inspired many of the recommendations in the House of Commons Standing Committee on Access to Information, Privacy and Ethics’ 2018 report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act (the “Report”). In turn, the Report influenced many of the new rules and regulations for corporate consumer privacy measures in the CPPA.
The GDPR’s influence on the CPPA is also relevant to the extent that the CPPA would harmonize between the corporate consumer privacy rules in the European Union and Canada. Since the European Union implemented the GDPR in April 2018, Canadian companies have faced legal obstacles to doing business in the European Union. The GDPR imposes strict rules on corporate consumer privacy measures, and until now, most Canadian companies’ consumer privacy measures coincided with the comparatively lower standards in the PIPEDA. By bringing their measures in line with the CPPA, Canadian companies doing business in the European Union would likely avoid many of the legal obstacles posed by the GDPR’s standards.
Impact on Provincial Legislation
The impact of a new federal legal framework for assessing corporate consumer privacy measures on provincial data privacy legislation remains unclear at this point. In fact, many provinces are currently in the process of revising their own rules regarding consumer data privacy. Quebec has introduced Bill 64, which brings its private sector privacy law close to the GDPR. Ontario has conducted consultations to establish privacy sector privacy protection laws that might be stronger than the PIPEDA, while British Columbia has started a review on improving its private sector privacy law.
Steps Organizations Should be Taking Now
While companies can expect a transition period to bring their practices in line with the new legislation, we recommend companies take the following steps:
- Affirm the company’s commitment to ensuring consumer data privacy by reminding employees that data should not be misused under any circumstances, and emphasize that current privacy measures should be taken seriously;
- Organize a team to review the current state of the company’s consumer data collection practices and privacy measures;
- Identify where current practices and measures may be falling short of current statutory requirements, and where improvements can be made to enhance consumer data privacy and reduce the risks of data privacy breaches;
- Develop a plan to rectify any non-compliance with current statutory requirements and improve current practices and measures;
- Implement rectification and improvement plans; and
- Prepare current procedures for additional changes by regularly monitoring and periodically revising consumer data collection practices and privacy measures.
Mexico’s Senate Approves Bill On Cannabis Regulation Allowing Recreational Use
- Mexico’s Senate has approved a bill for the issuance of the Federal Law for the Regulation of Cannabis (Ley Federal para la Regulación del Cannabis), and for the amendment and addition of several provisions to the General Health Law (Ley General de Salud) and the Federal Criminal Law (Código Penal Federal), allowing the recreational use of cannabis.
- The draft has been given to the Chamber of Deputies for its discussion, and, if applicable, approval. The Chamber of Deputies may have additional comments on the bill.
Mexico’s Senate has approved a bill for the issuance of the Federal Law for the Regulation of Cannabis (Ley Federal para la Regulación del Cannabis or LFRC), and for the amendment and addition of several provisions to the General Health Law (Ley General de Salud) and the Federal Criminal Law (Código Penal Federal), allowing the recreational use of cannabis.
The draft has been turned over to the Chamber of Deputies for its discussion, and, if applicable, approval. The Chamber of Deputies may have additional comments on the bill.
The version of the bill approved by the Senate includes, among other aspects, the following:
- The Mexican Institute for the Regulation and Control of Cannabis (Instituto Mexicano para la Regulación y Control del Cannabis or IMRCC) is created to enforce the LFRC as a deconcentrated body of the Ministry of Health.
- Individuals aged 18 years or older are allowed to use psychoactive cannabis for recreational purposes as long as minors, individuals incapable of expressing their free and informed consent or individuals of legal age who have not granted their respective approval, are not present.
- Six to eight plants are allowed per household. Individual adults are allowed to plant, grow, harvest, use and prepare up to six plants at their home for self-consumption, or up to eight plants if more than one consuming adult person lives in the same household. Such plants shall remain in the home of the consuming adult person.
- There is a limit of 28 grams of psychoactive cannabis.
- Sale is limited to 28 grams per day and per person, and possession is allowed up to 28 grams.
- Fines shall apply for possession of more than 28 and fewer than 200 grams.
- Possession of more than 200 grams shall be punishable with prison.
- Hemp is removed from the list of psychotropic substances.
- Sale of psychoactive cannabis and its derivatives for adult-use is allowed only within Mexico and by establishments holding a license granted by IMRCC.
- The following are the five IMRCC licensing types for cannabis:
- Growing: acquisition of seeds or seedlings, planting, growing, harvesting and preparation of cannabis
- Transformation: preparation, transformation, manufacture and production of cannabis
- Commercialization: distribution and public sale of cannabis, its derivatives and products
- Export or Import: distribution and sale abroad and entry to Mexico of non-psychoactive cannabis or manufactured products made of it according to the terms of applicable laws, international treaties and other applicable regulations, specifying destination or origin, respectively
- Research: acquisition of seeds or seedlings, planting, growing, harvesting, preparation, and transformation of cannabis and its derivatives, exclusively in quantity and terms of the research protocol approved by IMRCC
Growing, transformation and commercialization licenses are mutually exclusive. IMRCC shall only grant one licensing type per holder, except for export or import licenses, which may be granted in conjunction with other licensing types.
Can Employers Mandate A COVID-19 Vaccination?
Since early March, the COVID-19 pandemic has forced employers to quickly reassess established policies and develop new policies. While a vaccine is still being developed, widespread availability of a COVID-19 vaccine is expected by early next year. In anticipation, employers should begin to carefully consider whether they will require employees to get vaccinated. Generally, employers should proceed cautiously in implementing mandatory vaccination policies. Currently, the EEOC warns against requiring employees to get a vaccination and instead advises employers to merely encourage vaccination. Employers may also face resistance from employees due to general fears of shots and doubts surrounding the safety and effectiveness of the COVID-19 vaccine. Before mandating vaccination, employers should therefore carefully balance their commitment to protect others against infectious diseases and their employees’ rights and protections under the law, particularly the Americans with Disabilities Act (ADA) and Title VII of the Civil Rights Act of 1964. Under the ADA, covered employers may be required to accommodate certain employees from mandatory vaccination policies on the basis of medical reasons. Pursuant to the ADA, qualified individuals with an ADA disability may seek an accommodation unless the accommodation is unreasonable or creates an “undue hardship” on the employer. Consequently, employers should consult with legal counsel in establishing a plan on how to deal with a possible ADA accommodation should it decide to mandate COVID-19 vaccinations.
Mandating coronavirus immunizations may also trigger Title VII protections for employees declining to get the vaccine due to their religious beliefs and practices. Similar to the ADA, Title VII requires employers to make reasonable accommodations for their employee’s religious beliefs and practices, absent an undue hardship to the employer. Deciphering the sincerity of the employee’s religious beliefs is a delicate and difficult task for employers. Employers seeking to require its employees to receive a COVID-19 vaccine must also prepare a plan addressing Title VII accommodations. There are many other key factors that play a role in an employer’s decision to mandate COVID-19 vaccines, such as industry requirements, considerations under applicable state laws, ease of availability, insurance coverage, and even ethical concerns. Helpful resources which employers should consider include the CDC’s vaccine recommendations and the EEOC website which has been updated periodically with guidance on dealing with COVID-19.
Five Things You Should Know About Tenant Screening
If you have ever leased an apartment, house, or storefront, you have probably agreed to a background check or asked the applicant to do so. What you may not know is that the process of looking into someone’s background is regulated by state, local, and federal law. Here are five points any landlord, tenant, or screening agency should know about tenant screening laws.
Federal law provides baseline protections for tenancy applicants.
The Fair Credit Reporting Act (“FCRA”) requires that applicants both authorize screening and receive notice before any adverse action is taken based on the report. However, unlike for employment screening, tenant screeners are not required to provide an independent disclosure or a pre-adverse action notice. The Investigative Consumer Reporting Agencies Act also requires an authorization by the applicant, but those authorizations are usually subsumed within FCRA requirements. Additionally, the FCRA limits how long various items can remain on a report. While convictions can be reported indefinitely, other facts may only be reportable for seven years.
State and local ordinances often regulate tenant screening more stringently than federal law.
The past several years have seen an uptick in state and local background screening ordinances imposing stricter requirements on landlords, both in terms of paperwork and in terms of what facts may be reported. For example, California requires a certification of compliance with the ICRA and notice of the background check to be given in at least 12-point font. It also strictly construes what constitutes an adverse action triggering the applicant notice requirement; even a denial of an application or an increase in rent might qualify. Additionally, it prohibits background screeners from reporting unlawful detainer actions where the consumer prevailed. Washington also imposes additional disclosure requirements and requires that notice of adverse actions be in writing, specify the specific adverse action, and give the but-for reason based on the tenant’s application. Multiple states shorten the length of time a criminal conviction or arrest may be reported. And Seattle’s Fair Chance Housing Ordinance states that it is an unfair practice to consider or require disclosure of criminal history, subject to narrow exceptions, and that landlords may not reject an applicant simply because he is on a sex offender registry without conducting an individualized assessment and providing written notice. In California, Oakland’s ordinance takes these requirements one step farther and requires that if an adverse action is taken, the applicant must be given instructions on how to file a complaint with the city, a list of legal service providers, a copy of his criminal history and the basis for the decision, and an opportunity to respond.
Credit reporting agencies may be exposed to suit under new ordinances.
In addition to the stricter requirements, some recent state and local laws have extended the liability net to include credit reporting agencies, not just the landlords who improperly seek the information. For example, Seattle’s ordinance is not limited to property managers; it applies to screening companies and “any person” who assists in improperly providing the information. Oakland also recognizes this aiding-and-abetting theory of liability, and New York City has proposed an ordinance which would prohibit any inquiry or adverse action against someone who has been arrested or convicted and which includes an aiding-and-abetting provision.
Landlords and property owners may be subject to criminal as well as civil liability under new ordinances.
At least one city has established criminal penalties as well as civil causes of action for reporting violations. Oakland’s ordinance authorizes criminal charges to be brought against violators, in addition to a $1,000 fine per violation or individual civil actions for damages. Other localities may follow Oakland’s example. Such penalties dramatically raise the stakes for noncompliance, especially where the lines on what is and is not reportable are unclear.
When in doubt, follow the stricter jurisdiction’s rules.
For landlords and screening agencies operating in multiple jurisdictions, staying abreast of legal developments, particularly at the state and local levels, is of paramount importance. What is permissible in one neighborhood may result in criminal charges or stiff fines just across the city line. If compartmentalizing compliance by jurisdiction is not practical, or if reporting agencies operate in one state but report information to another state with different rules, they should follow the stricter jurisdiction’s requirements if they wish to avoid exposure to liability, particularly in areas that include aiding-and-abetting provisions.