scans, surveillance, and scams...sccs. this means that it is also for [supervisory authorities]...

2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE

OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-1

SCANS, SURVEILLANCE,

AND SCAMS

TOP PRIVACY DEVELOPMENTS

Thomas E. Deer – Ogletree Deakins (Chicago/Indianapolis)

Cécile Martin – Ogletree Deakins (Paris)

Danielle Vanderzanden – Ogletree Deakins (Boston/Portland (ME))



TOP PRIVACY DEVELOPMENTS IN EUROPE

by Cécile Martin

I. TECHNOLOGY-DRIVEN HIRING

Tools and systems using artificial intelligence (AI) and machine-learning algorithms are

developing increasingly in many sectors like Security, Banking or Healthcare, but also in Human

Resources. Businesses tend to rely more and more on technologies made of AI and algorithms to

make recruitment easier, faster, and more efficient.

Such technologies can be helpful to select interesting profiles off the internet that did not

apply for the job. Once profiles are selected, these tools can save time to employers by filtering a

massive number of resumes and keeping, based on their experience and diplomas, only the

profiles deemed fit for the job. Certain technologies can even determine a percentage of

adequacy between the candidate and the company’s culture.

Software, like chatbots or even robots, can engage in an online conversation with

candidates, or conduct video interviews, to select the best candidates. Using AI, these tools can

analyze speech flow rate, or facial expressions to evaluate emotions and capacity to perform

correctly on the job.

For example, a leading group in the beauty and cosmetics market implemented a chatbot

asking questions to candidates, which proved to be efficient in more than 90% of the

conversations. On smartphone or computers, the applicants can reply and ask questions to the

chatbot, which will, based on these answers, “tag” the candidate’s file. The system asks very

factual questions such as the availability, the degrees, or the current situation of the applicant.

Later, the recruiter will proceed to the next step of the hiring with the candidates who received a

certain tag. The chatbot has allowed the company to improve the experience and satisfaction of

rejected candidates, who are potential customers, and who would not usually receive, for the vast

majority, a response to their application without the use of the chatbot. Thus, AI technologies

have many benefits for the company: enhancing recruitment, and preserving a good image.

However, these technologies, by establishing profiles and making automated decisions,

may involve risks for candidates’ rights because they can lead to bias, discrimination or even

exclusion. For example, a multinational e-commerce company had to give up on its recruiting

tool because it was involuntarily discriminating against women. Indeed, the software, which was

evaluating candidates by rating them on five-star scale, was relying on keywords mostly used by

men. The explanation lies within the functioning of the AI model itself. The recruiting tool used

was elaborating patterns from thousands of resumes received over a 10-year period. Due to the

male predominance within the sector concerned, the system received a majority of male resumes

and consequently, incorporated the idea that the term "women" was equal to poor quality profile

(used for example in “women’s soccer team” on a resume).

Employers need to be aware of these risks and take certain steps to mitigate them. The

European Data Protection Board (an independent European advisory body on data protection and

privacy) (‘EDPB’) published Guidelines on Automated individual decision-making and Profiling



and an Opinion on Data Processing at Work that can help employers understand the precautions

to take with technology-driven hiring tools.

The General Data Protection Regulation (‘GDPR’) (Regulation (EU) 2016/679), which

came into force on May 2018 requires employers, in its Article 5, to provide candidates with

concise, intelligible and transparent information regarding their use of such technologies. In

addition, employers must conduct a Data Protection Impact Assessment (‘DPIA’), as detailed

below, before implementing these recruitment tools.

Regarding the legal basis for such processing, employers should rely on consent or on the

pursuit of their legitimate interests, if they can justify the necessity of using AI and algorithms to

select candidates. For example, the justification can be avoiding the waste of time spent by a

recruiter to sort a significant amount of resumes, and eliminating bias and discrimination.

However, if the software used does not involve any human intervention, the explicit consent of

candidates will be required.

When using AI and algorithms, employers should also pay attention to the principle of

data minimization, provided by Article 5 (1) (c) of GDPR, and accordingly only collect personal

data of candidates that can help determining if they are fit for the job. Moreover, even though

machine-learning systems become more accurate and useful when they have more data to

compare, employers should be careful to the storage limitation. If a rejected candidate does not

request the employer to destroy its file, the storage must not exceed 2 years. Only the explicit

consent of the candidate can extend the storage time. However, through anonymization, the

employer can store the data much longer.

II. BIOMETRIC INFORMATION PRIVACY

GDPR defines biometric data as “personal data resulting from specific technical

processing relating to the physical, physiological or behavioral characteristics of a natural

person, which allow or confirm the unique identification of that natural person, such as facial

images or dactyloscopic data”. For example, biometric information relates to digital print, facial

or iris recognition. Employers tend to rely on this type of data to control access to buildings or

computers.

Article 9 of GDPR prohibits employers to collect and process special categories of data,

which now include biometric data, unless exceptions apply. One of these exceptions relates to

employment. Accordingly, employers can collect and process biometric data when “processing is

necessary for the purposes of carrying out the obligations and exercising specific rights of the

controller or of the data subject in the field of employment and social security and social

protection law.”

The last paragraph of this article also gives Member States the possibility to enact

specific domestic rules regarding biometric data. Therefore, regulations regarding biometric data

may differ between member states, so employers should pay attention to the domestic law of the

concerned country before implementing a biometric system.

In France, the law has introduced a provision stating that employers can collect and

process biometric data when it is strictly necessary to control access to premises, devices and



apps used at the workplace. Furthermore, processing must comply with a Model regulation

drafted by the CNIL (French Supervisory Authority), which is the first of its kind to ever be

adopted in France.

First, the Model Regulation provides that biometric systems can only be used for

controlling access to buildings or computer devices identified by the employer. It prohibits the

use of biometric data requiring biological sampling (blood, saliva, etc.). It also states that the

employer must demonstrate the strict necessity of using biometric data by explaining the reasons

why other devices such as passwords or badges would not allow the required level of security.

The regulation also provides for a limited list of the kind of information that can be collected,

which include information related to the identity and professional life of the employee, related to

building and computer devices access, and information generated by the system itself. Is also

limited the types of person that can have access to the data. Finally, it reminds explicitly that a

DPIA should be carried out prior implementation of a biometric system, and it enumerates a long

list of technical and organizational measures that should be taken by employers to ensure

appropriate level of security.

The CNIL fined 10,000 euros a French company for using a biometric system to control

working time of employees, and for lacking technical and organizational measures taken to

ensure an appropriate level of security. The CNIL noted that neither strong passwords nor

automatic locking made computer devices secure.

III. EUROPEAN DATA PROTECTION LAW UPDATE

A. Privacy Shield

On 9 July 2019, the Court of Justice of the EU has heard the case C-311/18 opposing the

Irish Data Protection Commissioner against Max Schrems (‘Schrems II’), but the Court has not

ruled yet. The complaint brought by Schrems aims at stopping data transfers made by a social

media company from the EU to the US on the basis that the company transfers personal data of

EU citizens for a processing violating their fundamental rights.

In 2015, the Court already ruled on a case brought by Max Schrems and invalidated the

Safe-Harbor, agreement allowing data transfers between the EU and the US, because the

framework did not meet the level of protection required by the EU (Case C-362/14).

In the decision expected late 2019 or early 2020, the Court will decide whether the

Privacy Shield and the Standard Contractual Clauses meet this level of protection or not. If the

Court invalidates one or both of the mechanisms, companies must take appropriate steps to

ensure legal data flowing between the EU and the US. If both mechanisms are invalidated, the

only way left would be the Binding Corporate Rules.

During the pleadings, the EDPB considered “that the COM is not obliged to examine

whether the access of the public authorities of a given third country to the data transferred

respects the level of protection required by EU law. The EDPB considers that this is primarily

the responsibility of the exporter and the importer, when considering whether to enter into the

SCCs. This means that it is also for [Supervisory Authorities] (SAs), in particular on the basis of

a complaint, to assess whether the continuity of the protection afforded by Union law is ensured



once the data were transferred, including whether the exporter and importer complied with their

obligations under the SCCs. If not, SAs may suspend transfers.”

Another case is pending before the Tribunal of the European Union (T-738/16) brought

by La Quadrature du Net, a French association protecting digital rights and freedoms of citizens.

This claim also aims at invalidating the Privacy Shield. The tribunal postponed the hearing in

order to wait for the Court to rule in Schrems II.

B. GDPR update

1. Sanctions in case of lack of security measures

Failure to implement adequate measures to ensure security of the processing (Article 32

of GDPR) will result in an administrative fine of up to 10 million euros or 2% of total worldwide

annual turnover. Employers should pay particular attention to this security obligation since most

of the penalties imposed by SAs relate to breaches of such obligation.

For example, the ICO (English SA) has recently announced its intention to fine an airline

company 200 million euros for infringement to GDPR, and more specifically to this security

obligation. Even though the ICO has not actually pronounced the sanction yet, such amount

represents 1.5% of the company’s turnover, and would be the highest fine ever pronounced under

GDPR. The infringement happened during the summer 2018 when a scam was directing

customers to a company’s fake website and collecting their personal data. This cyber incident

was made possible because of the negligence of the company to implement appropriate technical

measures ensuring data security.

The ICO also intended to address a 110 million euros fine to another company that had

failed to comply with Article 32 of GDPR, and thus had exposed the personal data of 300 million

of its customers. In this instance, the company took over another business, which had suffered

from a cyber-incident, compromising the personal data of the customers. The ICO considered

that the company should have taken steps to ensure the safety of the other company’s systems.

In France, similar incidents led to administrative fines too, yet less significant in their

amount. The CNIL imposed a fine of 180,000 euros to an insurance company, whose website

allowed customers to subscribe to contracts, request quotes or access their online account. The

CNIL received a complaint from a customer affirming that from his own personal account he had

access to others customers’ personal files. A control revealed that the clients’ documents,

including bank account information, driving licenses, car registration documents, or information

related to hit-and-run or withdrawal of driving licenses, were available through hyperlinks or by

modifying the ending of URL addresses.

The CNIL also fined a real estate company 400,000 euros for a very similar offense. The

website of the company permitted real estate candidates to upload personal documents necessary

to their application. The French SA received a complaint from a user explaining that from his

own personal account, he had access to other candidates’ personal documents, which included ID

cards, healthcare cards, divorce judgements or even bank statements.



Regarding data breaches, the Romanian SA also issued in July 2019 two fines of 3,000

and 15,000 euros to companies which failed to implement adequate technical and organizational

measures to ensure an appropriate level of security.

In September 2019, it is the turn of the Polish SA to fine a company 645,000 euros for a

lack of security measures protecting personal data. It is estimated that the personal data of 2.2

million individuals were compromised because of several misconducts including an inefficient

evaluation of the risks, and insufficient safeguards. For the major part of these individuals, the

compromised data include name, emails, address or phone numbers. However, for a minor part

of these individuals, the data leaked was more personal since it included educational background,

marital status, or the source and amount of income.

2. Brexit

The United Kingdom is expected to leave the European Union on 31 October 2019, but

the UK Parliament has yet failed to ratify a withdrawal agreement with the EU. Consequently,

the ICO has published guidance to help businesses on the impact of a no-deal Brexit on the

protection of personal data. The EDPB also adopted an Information note on data transfers under

the GDPR in the event of a no-deal Brexit whose provisions are more strict than the ICO’s

vision.

When the United Kingdom will no longer be a member of the EU but a “third country”

instead, the GDPR will stop applying in the UK. However, the Brexit should not affect too much

data protection rules since the UK planned in its 2018 EU Withdrawal Act (EUWA) on

maintaining the high standard protection set out by GDPR. The rights and obligations, currently

provided by GDPR and the 2018 Data Protection Act, would remain the same for the most part.

The exit will barely affect at all small businesses operating solely within the United

Kingdom, which do not transfer data outside of the country. Nevertheless, businesses operating

internationally must pay special attention on how to maintain the data flowing between the UK

and other countries. The principal concern is about data transfers from the EEA to the UK, which

must rely on specific instruments.

Indeed, as a reminder, transfer of personal data is free within the EEA. To send personal

data to a country outside of the EEA (‘restricted transfer’), European businesses must rely on an

adequacy decision, an appropriate safeguard (usually Binding Corporate Rules or Standard

Contractual Clauses) or an exception.

Transfers between UK and the EEA

After Brexit, transferring data from the EU to the UK will be considered a restricted

transfer. Since the UK is maintaining the same protection provided by GDPR in domestic law,

the European Union will most likely adopt an adequacy decision for the UK. Nevertheless, the

process may last a few years and can only begin after the formal exit. Therefore, in case of a no-

deal Brexit, the EDPB recommends companies within the EEA to use an appropriate safeguard

(standard and ad hoc contractual clauses, binding corporate rules, codes of conduct and

certifications) or an exception if applicable to transfer data to the UK, as long as no adequacy

decision is adopted.



Regarding transfers from the UK to EU member states, EEA countries, and third

countries for which the EU has already issued an adequacy decision, the UK government has

confirmed that personal data will continue to flow freely because the UK will recognize these

adequacy decisions.

Transfers between UK and the US

Regarding transfers between the UK and the US relying on the Privacy Shield, US

businesses need to update their public commitment to comply with the Privacy Shield so that it

extends to personal data flow from the UK. In order to avoid any interruption of data flow,

businesses shall modify their commitment before 31 October 2019, in case of a no-deal scenario,

or before the end of the transition period (31 December 2020) in case an agreement is ratified. If

the transfer is about HR data, businesses must also update their HR privacy policy.

Transfers between the UK and third countries

The UK government confirmed that organizations currently relying on standard contractual

clauses or binding corporate rules to transfer data from or to the UK will be able to continue such

transfer.

C. DPIA

The GDPR requires companies to carry out a Data Protection Impact Assessment

(‘DPIA’) before implementing certain data processing operations within their organization.

The Article 29 Working Party (the predecessor of the EDPB) published a set of

guidelines on DPIAs in 2017 (Guidelines WP 248). Since national SAs are required to establish

and make public a list of processing operations for which DPIA is mandatory (article 35(4)

GDPR), and encouraged to publish a list of operations exempted from DPIA (article 35(5)

GDPR), these guidelines aim at developing a common European frame for DPIA. In addition,

the opinions issued by the EDPB on these lists also participate to develop a uniform vision.

All of the 31 members of the EDPB (28 EU member states and Iceland, Liechtenstein,

and Norway) have already published a list of processing operations for which DPIA is

mandatory. Furthermore, France, Spain and Czech Republic have also drafted a list of processing

operations exempt from DPIA, but have not published these lists yet.

Requirement or exemption to carry out a DPIA

According to Article 35 of GDPR, this requirement applies where the processing

operation is “likely to result in a high risk to the rights and freedoms of natural persons”. The

EDPB established nine criteria used to determine whether a DPIA is required:

Evaluation or scoring;

Automated decision-making with legal or similar significant effect;

Systematic monitoring;

Sensitive data or data of a highly personal nature;

Data processed on a large scale;



Matching or combining datasets;

Data concerning vulnerable data subjects;

Innovative use or applying new technological or organizational solutions;

Preventing data subjects from exercising a right or using a service or contract.

The board considers that when two out of these nine criteria are met, a DPIA should be

conducted.

Even though disparities exist between the different national lists, implementing

technologies such as video surveillance, geolocation, and especially new technologies involving

profiling and/or handling sensitive data (like artificial intelligence or biometrics) will most likely

always have to be subject to a DPIA. Furthermore, any processing aimed at monitoring

employees should require a DPIA, since it meets two criteria of the EDPB guidelines: systematic

monitoring (criterion 3), and data concerning vulnerable data subjects (criterion 7).

Regarding employees’ personal data, the lists of France, UK and Spain all consider to be

likely to result in a high risk biometric processing, and profiling of individuals. Although, France

specifically refers to profiling for HR purposes including recruitment tools using algorithms, or

predictive analysis, the Spanish list refers to profiling including for the purpose of performance

at work without more precision. On the contrary, the list of the UK refers only to large-scale

profiling, without any mention of employees. The examples given (like IoT applications or

software offering fitness monitoring) seem to concern more consumers than employees.

Even though they all consider in general that the monitoring of employees require a

DPIA, and especially geolocation, they all differ in their wording: France is the only one to

mention expressly video surveillance and cyber surveillance, including such as Data Loss

Prevention, and the UK refers generally to “data processing at the workplace”.

Only Spain and UK mentions explicitly that the sole use of innovative technologies must

undergo a DPIA, and only UK cites AI.

Unlike Spain, France and UK both consider whistleblowing procedures to require a

DPIA.

The EDPB recently adopted, on 10 July 2019, its opinion on the draft lists of France,

Spain, and Czech Republic, regarding the processing operations exempt from DPIA. The French

SA (called ‘CNIL’) intended to exempt from DPIA “processing carried out solely for the

purpose of managing access controls and schedules, excluding any biometric device”. In its

opinion 13/2019, the EDPB considered that the CNIL should amend this provision so that

processing revealing sensitive data or data of a highly personal nature would not be exempt from

DPIA. Regarding access control, the advisory body recommended that only non-biometric

mechanisms be exempt from DPIA. Moreover, it recommended, regarding work schedules, that

be covered by the exemption only processing with the sole purpose of calculating working times.

In its opinion 11/2019, the EDPB recommended that the Czech SA removed from its draft list

the “processing involving the taking of footage by a camera installed on a vehicle”, which should

therefore be subject to DPIA.



2. Obligation to consult SA

According to Article 36 GDPR, when conducting a DPIA, a data controller must assess

the risks that the processing will have on the rights and freedoms of data subjects. Then, the data

controller must define measures to mitigate the identified risks and reduce them to an appropriate

level. If, even after the identification of measures, the risks to the rights and freedoms remain

high, the data controller has an obligation to consult the relevant SA, prior implementing the

processing.

3. Sanction

Failure to comply with these requirements can lead to an administrative fine of up to 10

million euros or 2% of total worldwide annual turnover, whichever is higher (article 83 (4)

GDPR).

On August 2019, the Swedish SA issued a fine of approximately 20,000 euros to a

municipality, which ran a facial recognition test in a school to assess students’ attendance.

Besides the unlawful process of biometric data, the school had failed to conduct properly a DPIA

and failed to consult the SA prior implementation.

IV. PHYSICAL AND ELECTRONIC SURVEILLANCE

Include social media and other cyber surveillance

In Europe, all data processing should rely on a legal basis. The EU does not consider the

consent given by employees as a genuine consent meaning that the employer cannot rely on it to

collect/process their personal data. Any cyber surveillance system will most likely have to be

necessary to protect the employer’s legitimate interests or to perform employment contracts.

Any kind of cyber surveillance will most likely meet at least two criteria of the list

established by the EDPB and thus require a DPIA to be carried out before its implementation.

Employers must also inform employees that any monitoring system will be implemented

within the firm. Some European countries, like France, also require employers to inform and

consult the Workers’ Council before implementing means and techniques used to monitor

employees’ activity.

1. Social Media

Regarding social media, the EDPB considers that the fact that the employee or job

candidate’s profile is public does not mean the employer is authorized to process freely the

personal data it contains. The employer should rely on a legal basis for that, like legitimate

interest.

Employers can collect and process data contained on a prospective employee’s profile on

LinkedIn for example, if the collection of those data is necessary and relevant to the performance

of the job offered. Before inspecting the profile of a prospective employee, the employer should

verify that the employee uses the social media for a professional purpose.



For current or former employees, employers should avoid screening their social media

profiles, unless they have a legitimate interest to do so. For example, an employer can inspect the

LinkedIn profiles of former employees if he can prove that it is the only mean available to verify

that they respect their non-compete clause.

2. Video surveillance

In addition of the opinion on data processing at work (opinion 2/2017) providing for

some guidance on video surveillance of employees, the EDPB recently published a set of

Guidelines regarding specifically the use of video surveillance (Guidelines 3/2019).

Except in rare situations where an employer asks employees to be filmed for a video

promoting the company for example, consent will never be the legal basis for video surveillance.

The only legal basis possible here is the legitimate interest of the employer. Monitoring

employees is considered a legitimate interest within the European Union, as long as the

employees’ interests or fundamental rights and freedoms do not override the pursuit of such

interest.

Again, carrying out a DPIA and providing employees with information is necessary.

Even if the employer has a legitimate interest to monitor employees through video

surveillance, such monitoring must not be excessive. This means that the CCTV cameras should

not directly record the employees but should point at entries or the companies’ property. The

French SA recently fined 20,000 euros a small business for excessive video surveillance. The

cameras were directly pointing at employees without interruption, who did not receive

appropriate information related to the monitoring system.

Video surveillance may reveal highly personal data and even special categories of data

(sexuality, political or religious beliefs, union trade membership…) about employees. Employers

cannot use video surveillance to identify special categories of data. For example, an employer

cannot use video surveillance footage of a strike to identify employees taking part in the

demonstration.

Employers must also be careful regarding storage limit. It is recommended to keep data

only a few days and in any event no longer than a month.

B. Geolocation

Since an employer can never rely on consent as a legal basis for monitoring employees or

implementing new technologies, the collect and process of geolocation data of employees should

rely on a legitimate interest of the employer.

Regarding geolocation, such data is considered very intrusive because it is likely to reveal

very sensitive aspects of the employee’s personality (sexuality, political or religious beliefs, trade

union membership…). Therefore, the data protection regulators stress out that geolocation data

should only be used as a “last resort”, when there is no other mean to reach the purpose.

The French Supreme Court ruled that “the use of a geolocation system to ensure working

time control, which is lawful only when such control cannot be carried out by any other means,



even if less effective than geolocation, is not justified when the employee has freedom in the

organization of his work” (for example itinerant sales representatives) (Cass., 19 December

2018, n°17-14.631).

The geolocation system must be designed as to allow employees to deactivate it when

they are not under the subordination of the employer (e.g. outside of their working hours and

during their break periods). It would also be illegal to geolocate staff representatives during their

delegation hours.

In any event, geolocation cannot be used to monitor and evaluate employees or to control

the respect of speed limits.

Of course, DPIA and information of employees are required too for geolocation systems.

C. Predictive Analysis

Predictive analysis software analyze personal data and their outcome to create patterns

and use these patterns to predict the future. Regarding Human Resources, using predictive

analysis on employees allows employers to predict who would leave the company, when and

why. With this information, measures can be taken (like promotion, or higher pay) to prevent

employees from quitting, and thus to avoid an expensive employee turnover.

Article 4(4) of GDPR defines this technology as Profiling: “any form of automated

processing of personal data consisting of the use of personal data to evaluate certain personal

aspects relating to a natural person, in particular to analyze or predict aspects concerning that

natural person's performance at work […], reliability, [or] behavior”.

Employees must be informed of the existence of profiling or automated decision-making

on them based on predictive analysis software. Article 22 gives employees the right to refuse to

be subject to profiling or automated decision-making unless the decision is necessary for

performance of his or her employment contract or is authorized by the EU or the concerned

Member state.

Like recruitment tools using AI and algorithms, employers implementing predictive

analysis systems must carry out a DPIA beforehand. Indeed, in the context of HR, predictive

analysis and recruitment tools aim at evaluating or scoring individuals (criterion 1) and involve

automated decision-making with legal or similar significant effect (criterion 2). In addition,

employees are considered vulnerable data subjects (criterion 7) and AI and algorithms are new

technological solutions (criterion 8). More than 2 criteria of the EDPB list apply, therefore a

DPIA will always be required before implementing predictive analysis solutions.

In the Guidelines on Automated individual decision-making and Profiling, the EDPB lists

different measures that employers should take to ensure appropriate safeguards. For example, the

EDPB recommends adopting the following good practices:

“regular quality assurance checks of their systems to make sure that individuals are

being treated fairly and not discriminated against”;



“algorithmic auditing […] to prove that they are actually performing as intended, and

not producing discriminatory, erroneous or unjustified results”;

“for independent ‘third party’ auditing […], provide the auditor with all necessary

information about how the algorithm or machine learning system works;”

“obtaining contractual assurances for third party algorithms that auditing and testing

has been carried out and the algorithm is compliant with agreed standards”;

“specific measures for data minimization to incorporate clear retention periods for

profiles and for any personal data used when creating or applying the profiles”;

“using anonymization or pseudonymisation techniques”;

“ways to allow the data subject to express his or her point of view and contest the

decision”;

“a mechanism for human intervention in defined cases, for example providing a link

to an appeals process at the point the automated decision is delivered to the data

subject, with agreed timescales for the review and a named contact point for any

queries”.

V. SCAM AVOIDANCE: INFO SECURITY BEST PRACTICES

In order to prevent data breaches, GDPR requires data controllers to “implement

appropriate technical and organizational measures to ensure a level of security appropriate to the

risk” for the rights and freedoms of data subjects (Article 32 GDPR). To be GDPR compliant, an

employer must guarantee the protection and confidentiality of employees’ personal data.

As mentioned in Article 32, technical measures refer for example to IT solutions such as

pseudonymisation and encryption of personal data. Organizational measures can include

determining who has access to personal data and to which extent, but also training employees

and raising their awareness on data security.

Many SAs, such as the CNIL and the ICO, have published comprehensive guidance to

help employers taking steps to ensure an appropriate level of security. When implementing new

technologies that can potentially result in high risk for the rights and freedoms of employees, the

CNIL recommends employers to adopt the following measures:

Pseudonymisation, which is a technique whereby a pseudonym replaces the name of

the employee to whom the data relates;

Data minimization;

Regular auditing of the systems;

Raising awareness of employees through information and IT charter;

Securing authentication of employees with unique logins and strong passwords;

Managing authorizations by defining who has access to what data;

Tracing accesses and managing incidents (logging system and data breach

notification procedure);



Securing workstations with automatic locking, antivirus software, and firewalls

Secure mobile computing through encryption, regular backups or synchronizations of

data;

Protecting the internal computer network;

Securing servers by limited access, installing updates without delay;

Securing websites by using TLS protocol and placing a consent banner on cookies

that are not required;

Backup and planning for continuity of activity;

Securing archiving;

Supervising maintenance and the destruction of the data;

Managing subcontracting through a specific clause in contracts, and ensuring

effectiveness of the guarantees provided;

Securing exchanges with other organizations especially through encryption;

Protecting the premises with restricted access, alarms, and locks;

Supervising IT developments with privacy-friendly settings;

Using cryptographic functions (recognized algorithms and software).

BIOMETRIC DATA

STATE LAW UPDATES – A SUMMARY _______________________________________________

Thomas E. Deer

I. Laws Governing the Use of Biometric Date1

Some states have laws specifically governing when and how biometric information may

be gathered, used and/or such information must be protected. These laws describe specific

requirements that employers must follow including, but not limited to, notifying employees that

biometric information will be gathered and implementing a policy protecting such biometric

information. The following summarizes these laws:

A. Illinois:

Illinois has a law that specifically governs the use of biometric information. Illinois’

Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) regulates the collection, use,

safeguarding, and storage of biometric information by private entities.

Under the BIPA, a private entity, including an employer, in possession of biometric

identifiers (which includes fingerprints, or scans of hand or facial geometry) or biometric

information must develop a written policy, posted and available to the public, in the entity’s place

of business, establishing a retention schedule and guidelines for permanently destroying biometric

identifiers and biometric information when the initial purpose for collecting or obtaining such

identifiers or information has been satisfied or within three (3) years of the individual’s last

business dealings with the entity – an employee’s resignation, for example – whichever occurs

first.

Before obtaining biometric information, an entity must first: (i) inform the individual (or a

legally authorized representative) that his or her biometric information is to be collected; (ii)

indicate the purpose for collecting the biometric information and the length of time for which it is

to be collected, stored, and used; and (iii) receive a written release from the individual. The term

“written release” is defined in the Act, and specifically includes “in the context of employment, a

release executed by an employee as a condition of employment.” Once collected, biometric

information may not be sold, leased, or traded. It also may not be disclosed or disseminated unless

the individual who is the subject of the biometric information consents; the disclosure completes

1 Two other areas that are worth a mention are (i) accommodating religious beliefs, and (ii) Genetic Information

Nondiscrimination Act (GINA). Various federal, state, and local laws impose a duty to accommodate religious beliefs.

The biometric finger-scanning device is considered, by some, to be a mark that is prohibited by their religious beliefs,

and there are several instances where employers were required to make accommodations due to the conflict with those

religious beliefs. The next area involves federal, state, and local laws limiting the collection of, and prohibiting

discrimination on the basis of, medical information, such as the Americans with Disabilities Act and the Genetic

Information Nondiscrimination Act (GINA). Fingerprints are not typically considered medical information, but other

biometric data might be.

2

a financial transaction requested or authorized by the individual; the disclosure is required by

federal or state law; or the disclosure is required pursuant to a valid warrant or subpoena.

An entity that possesses biometric information must store, transmit, and protect the

information from disclosure using a standard of care that is reasonable within the private entity's

industry, and a method that is the same as or more protective than the manner in which the entity

stores, transmits, and protects other confidential and sensitive information that is used to uniquely

identify an individual, such as account numbers, PIN numbers, driver’s license numbers, or social

security numbers. To summarize, the BIPA requires companies to have both a biometric policy

and consent form, which should be signed prior to use of biometric time clocks or other biometric

equipment. The policy and consent need to address multiple issues in the BIPA such as notice,

collection, use, storage and destruction of the biometric identifiers.

The Act gives a private right of action to aggrieved individuals to sue companies not in

compliance with the BIPA for liquidated damages of $1,000 or $5,000 per violation, actual

damages, injunctive relief and attorney’s fees. In recent years, the requirements of the BIPA have

become fertile ground for class action lawsuits.

B. New York:

New York Labor Law prohibits private employers from requiring employees to be

fingerprinted as a condition of employment or continued employment, unless otherwise required

by law. Section 201-a of the New York Labor Law states:

Except as otherwise provided by law, no person, as a condition of securing

employment or of continuing employment, shall be required to be fingerprinted.

This provision shall not apply to employees of the state or any municipal

subdivisions or departments thereof, or to the employees of legally incorporated

hospitals, supported in whole or in part by public funds or private endowment, or

to the employees of medical colleges affiliated with such hospitals or to employees

of private proprietary hospitals.

Thus, with limited exceptions, Section 201-a prohibits private employers from requiring

employees to be fingerprinted as a condition of securing or continuing employment. Enacted in

1937, the purpose behind the legislation “clearly was to prevent private employers from using

fingerprinting as a means for blacklisting union leaders and members.” Friedman v. Valentine, 177

Misc. 437, 442, 30 N.Y.S.2d 891, 896 (Sup. Ct., NY Cty. November 10, 1941) aff’d 266 A.D. 561,

42 N.Y.S.2d 593 (N.Y. App. Div. 1943).

Although enacted for the reason suggested above, several companies have sought opinions

from the New York State Department of Labor (“NYSDOL”) as to whether the use of a biometric

device in a time clock violates Section 201-a. As it turns out, the NYSDOL interprets Section 201-

a as prohibiting employers from requiring employees be fingerprinted for timekeeping purposes

and it does not matter that the time clock does not actually store the employees’ fingerprints.

According to the NYSDOL simply interpreting the fingerprint was enough to violate the Labor

Law’s protections. Under the NYSDOL’s guidance, requiring the use of a finger-scanning

biometric time clock or similar devices would violate Section 201-a. But, there are limited

exceptions: (i) Employees required by law to be fingerprinted (e.g., teachers) may be required to

use a biometric time clock for timekeeping purposes, regardless of whether the device interprets

3

the employee’s fingerprints; (ii) Time clocks that “measure the geometry of the hand” are

permissible so long as they do not scan the surface details of the hand and fingers in a manner

similar or comparable to the scanning of a fingerprint; and (iii) Voluntary use of a finger-scanning

biometric device is permissible. (Note: employers may not take any adverse employment action

against employees who forego fingerprinting, or otherwise coerce employees to use the biometric

device.) See NYSDOL Opinion Letters RO-10-0024 (April 22, 2010), RO-08-0029 (August 14,

2008) and RO-08-0091 (August 26, 2008).

Thus, under the NYSDOL’s guidance, requiring the use of a finger-scanning biometric

time clock or similar devices would violate Section 201-a. But, there are limited exceptions: (i)

Employees required by law to be fingerprinted (e.g., teachers) may be required to use a biometric

time clock for timekeeping purposes, regardless of whether the device interprets the employee’s

fingerprints; (ii) Time clocks that “measure the geometry of the hand” are permissible so long as

they do not scan the surface details of the hand and fingers in a manner similar or comparable to

the scanning of a fingerprint; and (iii) Voluntary use of a finger-scanning biometric device is

permissible. (Note: employers may not take any adverse employment action against employees

who forego fingerprinting, or otherwise coerce employees to use the biometric device.)

While the NYSDOL’s opinion on this issue is clear, no New York court has weighed-in on

the use of finger-scanning devices as a timekeeping method. The weight of New York case law,

however, favors deference to the NYSDOL and its opinions. Thus, while the Courts have not

weighed in on the use of biometric devices and Section 201-a, the NYSDOL’s position on this is

clear – the use of biometric finger scanning that uses anything other than a scan of finger geometry

is prohibited and it is probable that Courts will defer to the NYSDOL’s interpretive guidance.

In addition to its law addressing the use of fingerprints, New York also prohibits an

employer from publicly posting an employee’s “personal identifying information,” which includes

Social Security number, home address or telephone number, email address, Internet identification

name or password, parent’s surname and drivers’ license number. Although the definition of

“personal identifying information” does not yet include personal identifiers such as biometric data,

safeguarding such data is a good business practice.

C. Texas:

Under Texas law, a person may not capture biometric information for commercial purposes

unless it informs the individual beforehand and obtains the individual’s consent. TEX. BUS. & COM.

CODE § 503.001(b). A person who possesses biometric identifiers that are captured for commercial

purposes may not sell, lease, or disclose biometric information unless: the individual consents to

disclosure for purposes of identification in the event of his or her disappearance or death; the

disclosure completes a financial transaction the individual requested or authorized; the disclosure

is required or permitted under federal or state law, or the disclosure is made to law enforcement in

response to a warrant. See TEX. BUS. & COM. CODE § 503.001(c).

In addition, the person who possesses a biometric identifier must store the information

using reasonable care in a manner that is the same or more protective than how it stores other

confidential information, and it must destroy the information no later than the first anniversary of

the date the purpose for collecting the information expires. A business must implement and

maintain reasonable procedures, including taking any appropriate corrective action, to protect from

unlawful use or disclosure any sensitive personal information collected or maintained by the

4

business in the regular course of business. Personal information includes unique biometric data

and social security numbers.

Washington does not provide for a private cause of action under the statute, but instead

chares its Attorney General with responsibility for enforcement. TEX. BUS. & COM. CODE §

503.001(d).

D. Washington

This year, the state of Washington became the third state to enact a law specifically

addressing the use of biometric information. In the new law, the state provides that it “intends to

require a business that collects and can attribute biometric data to a specific uniquely identified

individual to disclose how it uses that biometric data, and provide notice to and obtain consent

from an individual before enrolling or changing the use of that individual’s biometric identifiers

in a database.”

The law provides that “a person may not enroll a biometric identifier in a database for a

commercial purpose, without first providing notice, obtaining consent, or providing a mechanism

to prevent the subsequent use of a biometric identifier for a commercial purpose.” WASH. REV.

CODE § 19.375.020. The law requires that a “person who knowingly possesses a biometric

identifier of an individual that has been enrolled for a commercial purpose” must take “reasonable

care “to guard against unauthorized access and may retain the information no longer than is

reasonably necessary. Id.

Washington does not provide for a private cause of action under the statute, but instead

charges its Attorney General with responsibility for enforcement. WASH. REV. CODE § 19.375.030.

E. Virginia:

Virginia does not have a statute governing the use of biometric data, but it does have a

statute governing fingerprints. Specifically, VA. CODE § 59.1-478, requires the return or

destruction of fingerprints required for any transaction within 21 days after the transaction is

completed, unless the parties agree otherwise.

F. California

California does not have a biometric law and employers in California are allowed to obtain

fingerprints from employees.

However, in a quirky provision, California law makes it a criminal misdemeanor for

employers to share employee fingerprints with “any other employer or third person.” CAL. LABOR

CODE § 1051. In addition, any person who “knowingly causes” the employer to share employee

fingerprints with a third party is also guilty of a criminal misdemeanor. Id. § 1052. In addition to

criminal penalties, the statute also provides for treble damages in a civil suit. Id. § 1054. While it

is difficult to imagine this situation arising, employers should be mindful that it does not share

employee fingerprints with clients or obtain copies of those fingerprints from clients throughout

this process.

40146560.1

Ark

an

sas

Ca

lifo

rnia

Illi

no

is

Ma

ine

Mar

yla

nd

Ma

ssac

hu

sett

s

Nev

ad

a

New

Yo

rk

Ne

w J

erse

y

Ore

gon

Tex

as

Wa

shin

gto

n

Effective Date 9-Aug-191/1/2020 (amendments

pending approval)1-Jan-20 1-Jul-20 Oct. 1, 2019 1-Oct-19 11-Apr-19 Oct 1, 2019 25-Jul-19 1-Sep-19 Jan-20 1-Jan-20 1-Mar-20

Title of Statute

To Amend The Personal

Information Protection

Act; And To Revise The

Definition Of "personal

Information" In The

Personal Information

Protection Act

The California Consumer

Privacy Act of 2018 (CCPA)

(W-015-6908)

Personal

Information

Protection Act

The Act to Protect

the Privacy of

Online Consumer

Information

Maryland

Personal

Information

Protection Act

- Security

Breach

Notification

Requirements

-

Modifications

Interception of

Oral

Communication

–Law

Enforcement

Officer

An Act

Relative to

Consumer

Protection

from Security

Breaches

Stop Hacks

and Improve

Electronic

Data Security

Act -

Amendments

NJ S52

Oregon

Consumer

Information

Protection Act

Texas Identity

Theft

Enforcement

and

Protection Act

-

Amendments

Washington House Bill

1071

Statute Citation HB 1943

Cal. Civ. Code §§ 1798.100 -

1798.199

Personal

Information

Protection Act

(2013) (amended

2019)

The Act to Protect

the Privacy of

Online Consumer

Information, §

9301 (2019)

MD Comm. L.

Code § 14-

3504 (2015)

(amended

2019)

Interception of

Oral

Communication -

Law Enforcement

Officer (2019)

An Act

Relative to

Consumer

Protection

from Security

Breaches

(2019)BDR 52-920

Stop Hacks

and Improve

Electronic

Data Security

Act (SHIELD

Act) (2019). P.L. 2019, c.95

Oregon

Consumer

Information

Protection Act

(2019)

Texas Identity

Theft

Enforcement

and

Protection Act

(2009)

(amended

2019) C 241 L 19

Summary of Statute

Revises Arkansas Code

section 4-110-103(7) to

include biometric data in

the definition of

“personal information.”

Requires that, in the

event of a security

breach which affects the

personal information of

more than 1,000

individuals, a

notification of the breach

must now also be made

to the Attorney General.

Recent modifications

include: AB 25 (Employee

Personal Information

Exemption) - employee

personal information would

be excluded from many of

the CCPA’s requirements.

AB 874 (Publicly Available

Information Exception) -

removes a limitation on the

“publicly available

information” exception to

the definition of personal

information. If signed into

law, publicly available

information will be defined

as “information that is

lawfully made available

from federal, state, or local

government”. •AB 1146

(Vehicle Information

Exemption): AB 1146

exempts from a consumer’s

Amendment

requiring

notification to the

Attorney General if

a security breach

affects 500+ IL

residents. Must

provide AG with a

description of the

breach, the number

of affected

residents, and

details of any steps

taken related to the

incident.

Requires ISPs to

obtain opt-in

consent prior to,

“using, disclosing,

selling or

permitting access

to [a consumer’s]

prohibited

personal

information.”

Expands

scope of

covered

businesses,

including

businesses

that own,

license, or

maintain

personal

information

of MD

residents.

Prohibits

business

liable for

breach from

using

information

"relative to a

breach" for

purposes

other than (1)

Subject to certain

exceptions, it is

unlawful under

Maryland law to

intercept an oral

communication

without the

consent of all

parties to the

communication.

One of the

exceptions applies

to a law

enforcement

officer who

intercepts an oral

communication

through a

recording device,

including a body

camera, in the

course of the

officer’s regular

Requires

businesses to

offer

complimentar

y credit

monitoring

for 18 months

if a breach

involves a

resident’s

SSN. Breach

notifications

are to be

provided on a

rolling basis

to avoid

delay; and, if

the exposed

data is owned

by a third

party, then

notice must

identify that

Amends the state’s

existing online

privacy law for

owners and

operators of

Internet websites or

online commercial

providers. Prohibits

sale of certain

consumer

information by an

operator of an

Internet website or

online service upon

customer request

(“opt-out of sale”

option for

consumers).

Redefines

“operator” to

exclude certain

entities, like

financial institutions.

Expands

security

breach

protection to

the following

categories: (1)

biometric

data, (2)

account

numbers and

credit or debit

card numbers

without a

security code,

and (3)

usernames,

email

addresses,

passwords,

and security

questions and

answers.

Businesses

Expands the

definition of

“personal

information”

to include

usernames,

email

addresses,

passwords,

and security

questions and

answers

affiliated with

an individual’s

online

account. If a

breach

occurs,

businesses

are required

to notify

affected NJ

residents

Extends

certain data

breach

notification

requirements

to vendors.

Vendors must

now notify

any

contracted

“covered

entity” within

10-days of

discovering a

breach of

security, as

well as the

Attorney

General, if the

breach

involves more

than 250

consumers or

Requires

businesses to

send breach

notifications

(1) to affected

individuals

without

“unreasonabl

e delay,” but

no later than

60-days after

identifying

such breach,

and (2) to the

Texas

Attorney

General

within 60-

days of

identifying

the breach,

provided that

the breach

The definition of “personal

information” is expanded

to include the following

categories: birthdate;

unique private keys for

signing electronic records;

student, military, or

password identification

numbers; medical

information; biometric

information; and online

login credentials.

Businesses may send

breach notifications by

email, unless the breach

involves the credentials

associated with that email

account. If the breach

affects 500+ residents,

then the entity must

provide notice to the

Attorney General,

identifying the type of

Notes Revises existing law Amendments Amendment - SB

1624; 815 ILCS 530LD 946

Amendment -

HB 1154

HB552 (Chapter

521)HB 4806 S.B. 220 S5575B

Amendment -

SB 684;

formerly the

“Oregon

Consumer

Identity Theft

Protection

Act” HB 4390

NOTICE OF PERSONAL

INFORMATION DATA

BREACHES--VARIOUS

PROVISIONS

U.S. State Privacy Law Tracker

1

Scans, Surveillance, and Scams—Top Privacy DevelopmentsPresented by

Cécile Martin (Paris)Danielle Vanderzanden (Boston/Portland (ME))

Moderated by

Thomas E. Deer (Chicago/Indianapolis)

I. Technology-Driven Hiring

II. Biometric Information Privacy

III. International Data Protection Law Update

IV. U.S. Data Protection Laws

V. Physical and Electronic Surveillance

VI. Scam Avoidance

2

Technology-Driven Hiring – Uses

Identifying new candidates

Automating contact with candidates

Searching existing candidate pool for new roles

Engaging current employees as referrals

Technology-Driven Hiring – Uses (cont.)

Natural language processing of applications

– Classify and rank resumes

– Identify anomalies (e.g., gaps in record, inaccuracy)

Predictive coding/ranking of resumes

Conducting interviews

– Video conference

– Facial recognition/analysis

3

Technology-Driven Hiring – Risks

Risks related to machine learning

Disparate impact discrimination

Technology-Driven Hiring – GDPR Requirements

Legal basis: pursuit of legitimate interest or consent

Necessity to carry out a DPIA

Providing candidates with information of recruitment techniques and processing

Data minimization – limited storage time

4






VI. Scam Avoidance

Biometric Information Privacy

Illinois, Texas, and Washington State laws

Many other states considering BIP laws

– Alaska, California, Idaho, Massachusetts, Michigan, Montana, New Hampshire, and New York

5

Biometric Information Privacy (cont.)

Biometric information is biologically unique to the individual

– Facial scan

– Iris/retina

– Fingerprints

– Voiceprint

– Hand scan

Overview: The Statute

740 ILCS 14/1 et seq., Illinois Biometric Information Privacy Act (“BIPA”)

Enacted in 2008

Purpose: to give individuals notice about their “biometric identifiers” are going to be captured, used, stored, and destroyed, in order to assure them that their “biometric information” will be not stolen, sold, or misused

6

Overview: The Statute (cont.)

Important definitions– Private Entity: any individual, partnership, corporation,

limited liability company, association, or other group, however organized

• Defined broadly, and will likely affect most clients

– Biometric identifier: a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry

– Biometric information: any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual

Compliance: Employer Obligations

Develop a written policy (*made available to the public), establishing a retention schedule and guidelines for permanently destroying biometric identifiers/information

7

Compliance: Employer Obligations (cont.)

May not collect unless it first:– Informs the individual in writing that a biometric identifier or

biometric information is being collected or stored;

– Informs the individual in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

– Receives a written release executed by the individual

• Note: “written release” means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment

Employer Obligations (cont.)

May not sell, lease, trade, or profit from biometric identifier or biometric information

May not disclose, re-disclose, or disseminate unless:– The individual consents;

– The disclosure or re-disclosure completes a financial transaction requested or authorized by the individual;

– The disclosure or re-disclosure is required by state or federal law or municipal ordinance; or

– The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

8

Employer Obligations (cont.)

If in possession, the employer must:– Store, transmit, and protect from disclosure all biometric

identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

Biometric Information Privacy – GDPR Requirements

Article 9: Prohibition to collect and process special categories of data including biometric data unless exceptions – employment may be an exception

Domestic rules regarding biometric data

France: the CNIL enacted a Model Regulation

9

Biometric Information Privacy – GDPR Requirements

CNIL Model Regulation: Only used for controlling access of buildings or computer

devices

Prohibition to use data requiring biological sampling (blood, saliva, etc.)

Demonstration of strict necessity to use biometric data

Limited list of data that can be collected

Limited list of person that can access the data

DPIA

Technical and organizational measures to ensure security






VI. Scam Avoidance

10

1. Privacy Shield

2. GDPR Update

3. Data Protection Impact Assessment (DPIA)

CJUE case C-311/18: Schrems II (ruling pending) Privacy shield and standard contractual clauses are challenged

and may be invalidated by the Court Position of the EDPB: “it is for SAs, in particular on the basis of a

complaint, to assess whether the continuity of the protection afforded by Union law is ensured once the data were transferred, including whether the exporter and importer complied with their obligations under the SCCs. If not, SAs may suspend transfers.”

CJUE case T-738/16: LQDN Privacy Shield also challenged Ruling postponed to wait for the Court to rule in Schrems II

11

1. Privacy Shield

2. GDPR Update


Article 32: Security measures Fines of up to 10M euros or 2% of total worldwide annual turnover

ICO: Intention to fine an airline company 200M euros: Scam directing customers

to a fake website Intention to fine a company 110M euros: data of 300M customers exposed

CNIL: Two companies fined 180,000 and 400,000 euros: websites not secure;

allowing customers to access other customers’ personal files

Fines also issued by Poland (645,000 euros) and Romania (3,000 and 15,000 euros)

12

Brexit

Expected date: 31 October 2019

In case of a no-deal Brexit: Transfers from the EEA to the UK: Necessity to use appropriate

safeguards: SCCs, BCRs, codes of conduct or certification mechanisms

Adequacy decision should be adopted eventually

Transfers between UK and U.S.: Necessity for companies to update public commitment to comply with Privacy Shield so that it extends to personal data flow from the UK

Transfers between UK and third countries: SCCs and BCRs currently in place should remain applicable

1. Privacy Shield

2. GDPR Update


13

Article 35 GDPR EDPB Guidelines National lists of processing operations for which

DPIA is mandatory: all of the 31 members of the EDPB have published a list National lists of processing operations exempted

from DPIA: only France, Spain, and Czech Republic have drafted a list

Requirement to carry out a DPIA for processing operations “likely to result in a high risk to the rights and freedoms of natural persons”

EDPB: if 2 out of 9 criteria are met DPIA necessary1. Evaluation or scoring2. Automated decision-making with legal or similar significant effect3. Systematic monitoring4. Sensitive data or data of a highly personal nature5. Data processed on a large scale6. Matching or combining datasets7. Data concerning vulnerable data subjects8. Innovative use or applying new technological or organizational solutions9. Preventing data subjects from exercising a right or using a service or contract

14

Obligation to consult SA Article 36 GDPR The employer must define measures to mitigate the identified

risks and reduce them to an appropriate level. If, even after the identification of measures, the risks to the rights and freedoms remain high, the data controller has an obligation to consult the relevant SA, prior to implementing the processing.

Sanction Failure to carry out DPIA or to consult SA: 10M euros or 2%

worldwide turnover Sweden: Facial recognition used in school: fine of 20,000 euros

(unlawful processing of biometric data + failure to conduct DPIA and consult Swedish SA)






VI. Scam Avoidance

15

U.S. Data Protection Laws

Duty allegations

– Design, maintain, and test security system

– Implement breach-detection processes

– Timely act on system alerts and warnings

– Maintain industry standard data security measures

U.S. Data Protection Laws (cont.)

Examples of conduct alleged to be negligent

– Mailing PII in window envelopes

– Leaving private encryption keys on server

– Website permitting hackers to send dangerous links to customers

– Inadequate vendor controls

– Failure to rectify inadequate safeguards

16


Still no federal umbrella

– FTC Unfair and Deceptive Trade Practices

State patchwork continues to evolve

– California Consumer Privacy Act (CCPA)

– Nevada Internet Privacy Act

– Maine

– Cities (e.g., San Jose CA Privacy Principles)


Litigation risks and theories are expanding

– Invasion of privacy claims

– Negligence theory • Duty to protect personal information

• Duty to implement and maintain reasonable security measures

17






VI. Scam Avoidance

Physical and Electronic Surveillance

Computer monitoring– Electronic Communications Privacy Act

– Stored Communications Act

Telephone and voice mail monitoring– Federal Wiretap Act

– State wiretap laws

Internet usage tracking

Video surveillance

18

Physical and Electronic Surveillance

GPS tracking

Driver analytics

Off-duty conduct

Social media usage

Employee searches

Physical and Electronic Surveillance –GDPR Requirements

General conditions:

Legal basis: consent cannot be used; only legitimate interest or necessity to perform contracts

DPIA

Information of employees prior to implementation

Some countries also require information and consultation of Workers’ Council

19

Physical and Electronic Surveillance –GDPR Requirements Social Media

– Legal basis: legitimate interest for example

– Only if used for a professional purpose by the employee

Video Surveillance– Legal basis: legitimate interest as long as employees’ interests or

fundamental rights and freedoms do not override the pursuit of such interest

– DPIA

– Must not be excessive CNIL fined a company 20,000 euros for excessive video surveillance

– Cannot be used to identify special categories of data

– Carefulness with storage time: usually only a few days and in any event no longer than a month


Geolocation

DPIA and Legal basis: legitimate interest

Should only be used as a ‘last resort’

French Supreme Court: “the use of a geolocation system to ensure working time control, which is lawful only when such control cannot be carried out by any other means, even if less effective than geolocation, is not justified when the employee has freedom in the organization of his work” (Cass., 19 December 2018, n°17-14.631)

Must allow employees to deactivate it during break periods

Illegal to geolocate staff representatives during delegation hours

Can never be used to monitor and evaluate employees or to control respect of speed limits

20


Predictive Analysis Article 4 GPDR defines profiling as “any form of automated

processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, reliability, [or] behavior”

Article 22 GDPR: right to refuse profiling or automated decision-making unless necessary for performance of employment contract



III. International Data Protection Law update



VI. Scam Avoidance

21

Scam Avoidance – GDPR Requirements

Article 32 GDPR: Obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the rights and freedoms of data subjects

CNIL guidance on security:

Pseudonymisation

Data minimization

Regular auditing

Encryption

Securing websites, servers, and workstations

Etc.

Scans, Surveillance, and Scams—Top Privacy DevelopmentsPresented by

Cécile Martin (Paris)Danielle Vanderzanden (Boston/Portland (ME))

Moderated by

Thomas E. Deer (Chicago/Indianapolis)

�omas E. DeerShareholder || Chicago, Indianapolis

Mr. Deer is currently serving his second term as a member of the Firm’s

Board of Directors. Mr. Deer represents management in a varie� of

employment-related ma�ers, including litigation involving age, race, sex,

and disabili� discrimination claims, covenants not to compete, trade

secrets, wage and hour claims, ERISA claims, and other workplace

torts. Mr. Deer has a national employment practice, and has defended

cases for employers from coast to coast. Mr. Deer also serves as the

relationship partner for a number of the firm’s national clients. In that

role, he manages an Ogletree Deakins team to service the client’s labor

and employment needs across a number of jurisdictions. Mr. Deer has

particular industry experience in the retail, financial, sta�ng, and higher

education industries. Since ��, Mr. Deer has been named in every

edition of �e Best Lawyers in America.

Mr. Deer has acted as lead trial counsel in employment

discrimination/wrongful discharge and non-compete cases in federal

district and state courts. At one jury trial, Mr. Deer’s client received a

defense verdict of no liabili� on a novel “gender plus” legal theory. In

another, Mr. Deer’s client received a directed verdict on liabili�.

Mr. Deer also practices traditional labor law. His labor experience

includes bargaining contracts, handling labor arbitrations, grievance

administration, and the defense of unfair labor practice charges before

the NLRB.

Mr. Deer is a frequent speaker and author. He has been a speaker and

moderator at American Bar Association meetings, including twice at the

ABA’s Annual Meeting. He regularly performs training for clients on all

aspects of labor and employment law.

https://ogletree.com/locations/chicago

https://ogletree.com/locations/indianapolis

tel:+13125581238

mailto:[email protected]

https://ogletree.com/wp/wp-admin/admin-post.php?action=get_vcard&pid=3850&name=thomas-e-deer

https://ogletree.com/

Cécile Martin

Managing Partner || Paris

Cécile Martin is the Managing Partner of the Ogletree Deakins Paris

o�ce and is a co-chair of the firm’s Mergers and Acquisitions practice

group. She advises clients on compensation policies (including material

risk takers), discrimination and harassment litigation, corporate

restructuring, mass redundancies plans as well as collective litigation.

By starting her career at the French Data Protection Agency (CNIL),

Cecile has developed leading edge skills particularly on topics related to

GDPR employee monitoring at the workplace, whistleblowing alerts,

social media use and international data transfer.

Cécile has been a member of the European Advisory Board of the

International Association of Privacy Professionals (IAPP) since ��

and is also a member of the firm’s International and Data Privacy

practice groups. She was ranked in �� and �� “Next Generation

Lawyer” by Legal �� and “Up-and-Coming” by Chambers. She lectures

on data protection law at Paris La Sorbonne Universi� and regularly

provides training to companies regarding the compliance with the

GDPR.

Cécile speaks French and English.

https://ogletree.com/locations/paris

tel:+33170612406


https://ogletree.com/wp/wp-admin/admin-post.php?action=get_vcard&pid=3151&name=cecile-martin


Danielle Vanderzanden

Shareholder || Boston, Portland (ME)

Ms. Vanderzanden is a Shareholder in the Boston and Portland (ME)

o�ces, and Co-Chair of the firm’s Data Privacy Practice Group. She

specializes in the areas of privacy, restrictive covenant, wage and hour,

discrimination and labor and employment litigation and counseling.

She devotes her practice to helping employers with employment-related

disputes, conducting investigations and providing counsel to clients

seeking to reduce their potential for liabili� to their employees and third

parties. She has personally conducted dozens of investigations,

including investigations involving employee allegations of misconduct

by company executives and systemic discrimination.

She is CIPP/US certified by the International Association of Privacy

Professionals and provides advice regarding cybersecuri� and privacy

ma�ers, including applicable state, federal and multi-national privacy

and information securi� requirements. For nearly ten years, she has

provided clients with advice regarding wri�en information securi�

policies and all aspects of data breach remediation, response and

notification. She has counseled dozens of clients through the process of

complying with a myriad of data breach notification requirements

among the �� United States and in a varie� of multi-national data

breach scenarios. She routinely helps clients navigate the choppy waters

churned by the challenges of social networking sites, the Internet of

�ings and related technological developments. In ��, the National Law

Journal selected Ms. Vanderzanden for inclusion on its inaugural list of

“Cybersecuri� & Data Privacy Trailblazers.”

She has successfully represented clients in numerous cases involving

restrictive covenants and intellectual proper� disputes and claims for

ERISA benefits and executive compensation. She has defended single

plainti� and class and collective action wage and hour disputes

(including, but not limited to, claims under the Fair Labor Standards Act,

the Massachuse�s Wage Payment Law and the Massachuse�s Tip

Pooling Statute); sex, race, age, religion and disabili� discrimination

and/or harassment claims; and tort and retaliation ma�ers. She has

many years of experience defending clients against privacy-related

claims, and she regularly helps clients develop policies, practices,

protocols, training programs, audits and remedial measures to diminish

the risks associated with information securi� breaches.

Ms. Vanderzanden regularly speaks before industry groups and legal

organizations and at conferences, roundtables, webinars and seminars.

She also provides internal training programs on topics such as data

privacy and securi� compliance, conducting e�ective internal

investigations, protecting intellectual proper� and human resource

assets, complying with applicable wage and anti-discrimination laws.

She is an e�ective trial lawyer who has tried over �� cases by herself or

as first chair and has managed and resolved or taken to hearing dozens

of employment arbitrations.

https://ogletree.com/locations/boston

https://ogletree.com/locations/portland-me

tel:+16179945724


https://ogletree.com/wp/wp-admin/admin-post.php?action=get_vcard&pid=4577&name=danielle-vanderzanden


In addition to many years of experience litigating in the U.S. Court of

Appeals, First and Second Circuits, and in the state and federal courts in

Massachuse�s, Maine, New Hampshire and Vermont, she also has

represented numerous clients in arbitrations before the AAA, NASD,

and FINRA.

Comments of others, particularly clients, best describe Ms.

Vanderzanden’s legal skills. �e �� Chambers and Partners Client

Guide notes that clients say that she “hones in on the issues with a

laser-like focus and is creative in how she makes her points.” �e same

Guide described her as “incredibly talented, very quick on her feet and

very good strategically.” In its �� Client Guide, Chambers described

Ms. Vanderzanden as providing “immediate, practical and

comprehensive advice in all areas of employment law.” And, the ��

Client Guide reported that she “is praised for her outstanding work in

noncompete and wage and hour claims.”

scans, surveillance, and scams...sccs. this means that it is also for [supervisory authorities]...

Documents