scans, surveillance, and scams...sccs. this means that it is also for [supervisory authorities]...
TRANSCRIPT
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-1
SCANS, SURVEILLANCE,
AND SCAMS
TOP PRIVACY DEVELOPMENTS
Thomas E. Deer – Ogletree Deakins (Chicago/Indianapolis)
Cécile Martin – Ogletree Deakins (Paris)
Danielle Vanderzanden – Ogletree Deakins (Boston/Portland (ME))
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-2
TOP PRIVACY DEVELOPMENTS IN EUROPE
by Cécile Martin
I. TECHNOLOGY-DRIVEN HIRING
Tools and systems using artificial intelligence (AI) and machine-learning algorithms are
developing increasingly in many sectors like Security, Banking or Healthcare, but also in Human
Resources. Businesses tend to rely more and more on technologies made of AI and algorithms to
make recruitment easier, faster, and more efficient.
Such technologies can be helpful to select interesting profiles off the internet that did not
apply for the job. Once profiles are selected, these tools can save time to employers by filtering a
massive number of resumes and keeping, based on their experience and diplomas, only the
profiles deemed fit for the job. Certain technologies can even determine a percentage of
adequacy between the candidate and the company’s culture.
Software, like chatbots or even robots, can engage in an online conversation with
candidates, or conduct video interviews, to select the best candidates. Using AI, these tools can
analyze speech flow rate, or facial expressions to evaluate emotions and capacity to perform
correctly on the job.
For example, a leading group in the beauty and cosmetics market implemented a chatbot
asking questions to candidates, which proved to be efficient in more than 90% of the
conversations. On smartphone or computers, the applicants can reply and ask questions to the
chatbot, which will, based on these answers, “tag” the candidate’s file. The system asks very
factual questions such as the availability, the degrees, or the current situation of the applicant.
Later, the recruiter will proceed to the next step of the hiring with the candidates who received a
certain tag. The chatbot has allowed the company to improve the experience and satisfaction of
rejected candidates, who are potential customers, and who would not usually receive, for the vast
majority, a response to their application without the use of the chatbot. Thus, AI technologies
have many benefits for the company: enhancing recruitment, and preserving a good image.
However, these technologies, by establishing profiles and making automated decisions,
may involve risks for candidates’ rights because they can lead to bias, discrimination or even
exclusion. For example, a multinational e-commerce company had to give up on its recruiting
tool because it was involuntarily discriminating against women. Indeed, the software, which was
evaluating candidates by rating them on five-star scale, was relying on keywords mostly used by
men. The explanation lies within the functioning of the AI model itself. The recruiting tool used
was elaborating patterns from thousands of resumes received over a 10-year period. Due to the
male predominance within the sector concerned, the system received a majority of male resumes
and consequently, incorporated the idea that the term "women" was equal to poor quality profile
(used for example in “women’s soccer team” on a resume).
Employers need to be aware of these risks and take certain steps to mitigate them. The
European Data Protection Board (an independent European advisory body on data protection and
privacy) (‘EDPB’) published Guidelines on Automated individual decision-making and Profiling
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-3
and an Opinion on Data Processing at Work that can help employers understand the precautions
to take with technology-driven hiring tools.
The General Data Protection Regulation (‘GDPR’) (Regulation (EU) 2016/679), which
came into force on May 2018 requires employers, in its Article 5, to provide candidates with
concise, intelligible and transparent information regarding their use of such technologies. In
addition, employers must conduct a Data Protection Impact Assessment (‘DPIA’), as detailed
below, before implementing these recruitment tools.
Regarding the legal basis for such processing, employers should rely on consent or on the
pursuit of their legitimate interests, if they can justify the necessity of using AI and algorithms to
select candidates. For example, the justification can be avoiding the waste of time spent by a
recruiter to sort a significant amount of resumes, and eliminating bias and discrimination.
However, if the software used does not involve any human intervention, the explicit consent of
candidates will be required.
When using AI and algorithms, employers should also pay attention to the principle of
data minimization, provided by Article 5 (1) (c) of GDPR, and accordingly only collect personal
data of candidates that can help determining if they are fit for the job. Moreover, even though
machine-learning systems become more accurate and useful when they have more data to
compare, employers should be careful to the storage limitation. If a rejected candidate does not
request the employer to destroy its file, the storage must not exceed 2 years. Only the explicit
consent of the candidate can extend the storage time. However, through anonymization, the
employer can store the data much longer.
II. BIOMETRIC INFORMATION PRIVACY
GDPR defines biometric data as “personal data resulting from specific technical
processing relating to the physical, physiological or behavioral characteristics of a natural
person, which allow or confirm the unique identification of that natural person, such as facial
images or dactyloscopic data”. For example, biometric information relates to digital print, facial
or iris recognition. Employers tend to rely on this type of data to control access to buildings or
computers.
Article 9 of GDPR prohibits employers to collect and process special categories of data,
which now include biometric data, unless exceptions apply. One of these exceptions relates to
employment. Accordingly, employers can collect and process biometric data when “processing is
necessary for the purposes of carrying out the obligations and exercising specific rights of the
controller or of the data subject in the field of employment and social security and social
protection law.”
The last paragraph of this article also gives Member States the possibility to enact
specific domestic rules regarding biometric data. Therefore, regulations regarding biometric data
may differ between member states, so employers should pay attention to the domestic law of the
concerned country before implementing a biometric system.
In France, the law has introduced a provision stating that employers can collect and
process biometric data when it is strictly necessary to control access to premises, devices and
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-4
apps used at the workplace. Furthermore, processing must comply with a Model regulation
drafted by the CNIL (French Supervisory Authority), which is the first of its kind to ever be
adopted in France.
First, the Model Regulation provides that biometric systems can only be used for
controlling access to buildings or computer devices identified by the employer. It prohibits the
use of biometric data requiring biological sampling (blood, saliva, etc.). It also states that the
employer must demonstrate the strict necessity of using biometric data by explaining the reasons
why other devices such as passwords or badges would not allow the required level of security.
The regulation also provides for a limited list of the kind of information that can be collected,
which include information related to the identity and professional life of the employee, related to
building and computer devices access, and information generated by the system itself. Is also
limited the types of person that can have access to the data. Finally, it reminds explicitly that a
DPIA should be carried out prior implementation of a biometric system, and it enumerates a long
list of technical and organizational measures that should be taken by employers to ensure
appropriate level of security.
The CNIL fined 10,000 euros a French company for using a biometric system to control
working time of employees, and for lacking technical and organizational measures taken to
ensure an appropriate level of security. The CNIL noted that neither strong passwords nor
automatic locking made computer devices secure.
III. EUROPEAN DATA PROTECTION LAW UPDATE
A. Privacy Shield
On 9 July 2019, the Court of Justice of the EU has heard the case C-311/18 opposing the
Irish Data Protection Commissioner against Max Schrems (‘Schrems II’), but the Court has not
ruled yet. The complaint brought by Schrems aims at stopping data transfers made by a social
media company from the EU to the US on the basis that the company transfers personal data of
EU citizens for a processing violating their fundamental rights.
In 2015, the Court already ruled on a case brought by Max Schrems and invalidated the
Safe-Harbor, agreement allowing data transfers between the EU and the US, because the
framework did not meet the level of protection required by the EU (Case C-362/14).
In the decision expected late 2019 or early 2020, the Court will decide whether the
Privacy Shield and the Standard Contractual Clauses meet this level of protection or not. If the
Court invalidates one or both of the mechanisms, companies must take appropriate steps to
ensure legal data flowing between the EU and the US. If both mechanisms are invalidated, the
only way left would be the Binding Corporate Rules.
During the pleadings, the EDPB considered “that the COM is not obliged to examine
whether the access of the public authorities of a given third country to the data transferred
respects the level of protection required by EU law. The EDPB considers that this is primarily
the responsibility of the exporter and the importer, when considering whether to enter into the
SCCs. This means that it is also for [Supervisory Authorities] (SAs), in particular on the basis of
a complaint, to assess whether the continuity of the protection afforded by Union law is ensured
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-5
once the data were transferred, including whether the exporter and importer complied with their
obligations under the SCCs. If not, SAs may suspend transfers.”
Another case is pending before the Tribunal of the European Union (T-738/16) brought
by La Quadrature du Net, a French association protecting digital rights and freedoms of citizens.
This claim also aims at invalidating the Privacy Shield. The tribunal postponed the hearing in
order to wait for the Court to rule in Schrems II.
B. GDPR update
1. Sanctions in case of lack of security measures
Failure to implement adequate measures to ensure security of the processing (Article 32
of GDPR) will result in an administrative fine of up to 10 million euros or 2% of total worldwide
annual turnover. Employers should pay particular attention to this security obligation since most
of the penalties imposed by SAs relate to breaches of such obligation.
For example, the ICO (English SA) has recently announced its intention to fine an airline
company 200 million euros for infringement to GDPR, and more specifically to this security
obligation. Even though the ICO has not actually pronounced the sanction yet, such amount
represents 1.5% of the company’s turnover, and would be the highest fine ever pronounced under
GDPR. The infringement happened during the summer 2018 when a scam was directing
customers to a company’s fake website and collecting their personal data. This cyber incident
was made possible because of the negligence of the company to implement appropriate technical
measures ensuring data security.
The ICO also intended to address a 110 million euros fine to another company that had
failed to comply with Article 32 of GDPR, and thus had exposed the personal data of 300 million
of its customers. In this instance, the company took over another business, which had suffered
from a cyber-incident, compromising the personal data of the customers. The ICO considered
that the company should have taken steps to ensure the safety of the other company’s systems.
In France, similar incidents led to administrative fines too, yet less significant in their
amount. The CNIL imposed a fine of 180,000 euros to an insurance company, whose website
allowed customers to subscribe to contracts, request quotes or access their online account. The
CNIL received a complaint from a customer affirming that from his own personal account he had
access to others customers’ personal files. A control revealed that the clients’ documents,
including bank account information, driving licenses, car registration documents, or information
related to hit-and-run or withdrawal of driving licenses, were available through hyperlinks or by
modifying the ending of URL addresses.
The CNIL also fined a real estate company 400,000 euros for a very similar offense. The
website of the company permitted real estate candidates to upload personal documents necessary
to their application. The French SA received a complaint from a user explaining that from his
own personal account, he had access to other candidates’ personal documents, which included ID
cards, healthcare cards, divorce judgements or even bank statements.
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-6
Regarding data breaches, the Romanian SA also issued in July 2019 two fines of 3,000
and 15,000 euros to companies which failed to implement adequate technical and organizational
measures to ensure an appropriate level of security.
In September 2019, it is the turn of the Polish SA to fine a company 645,000 euros for a
lack of security measures protecting personal data. It is estimated that the personal data of 2.2
million individuals were compromised because of several misconducts including an inefficient
evaluation of the risks, and insufficient safeguards. For the major part of these individuals, the
compromised data include name, emails, address or phone numbers. However, for a minor part
of these individuals, the data leaked was more personal since it included educational background,
marital status, or the source and amount of income.
2. Brexit
The United Kingdom is expected to leave the European Union on 31 October 2019, but
the UK Parliament has yet failed to ratify a withdrawal agreement with the EU. Consequently,
the ICO has published guidance to help businesses on the impact of a no-deal Brexit on the
protection of personal data. The EDPB also adopted an Information note on data transfers under
the GDPR in the event of a no-deal Brexit whose provisions are more strict than the ICO’s
vision.
When the United Kingdom will no longer be a member of the EU but a “third country”
instead, the GDPR will stop applying in the UK. However, the Brexit should not affect too much
data protection rules since the UK planned in its 2018 EU Withdrawal Act (EUWA) on
maintaining the high standard protection set out by GDPR. The rights and obligations, currently
provided by GDPR and the 2018 Data Protection Act, would remain the same for the most part.
The exit will barely affect at all small businesses operating solely within the United
Kingdom, which do not transfer data outside of the country. Nevertheless, businesses operating
internationally must pay special attention on how to maintain the data flowing between the UK
and other countries. The principal concern is about data transfers from the EEA to the UK, which
must rely on specific instruments.
Indeed, as a reminder, transfer of personal data is free within the EEA. To send personal
data to a country outside of the EEA (‘restricted transfer’), European businesses must rely on an
adequacy decision, an appropriate safeguard (usually Binding Corporate Rules or Standard
Contractual Clauses) or an exception.
Transfers between UK and the EEA
After Brexit, transferring data from the EU to the UK will be considered a restricted
transfer. Since the UK is maintaining the same protection provided by GDPR in domestic law,
the European Union will most likely adopt an adequacy decision for the UK. Nevertheless, the
process may last a few years and can only begin after the formal exit. Therefore, in case of a no-
deal Brexit, the EDPB recommends companies within the EEA to use an appropriate safeguard
(standard and ad hoc contractual clauses, binding corporate rules, codes of conduct and
certifications) or an exception if applicable to transfer data to the UK, as long as no adequacy
decision is adopted.
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-7
Regarding transfers from the UK to EU member states, EEA countries, and third
countries for which the EU has already issued an adequacy decision, the UK government has
confirmed that personal data will continue to flow freely because the UK will recognize these
adequacy decisions.
Transfers between UK and the US
Regarding transfers between the UK and the US relying on the Privacy Shield, US
businesses need to update their public commitment to comply with the Privacy Shield so that it
extends to personal data flow from the UK. In order to avoid any interruption of data flow,
businesses shall modify their commitment before 31 October 2019, in case of a no-deal scenario,
or before the end of the transition period (31 December 2020) in case an agreement is ratified. If
the transfer is about HR data, businesses must also update their HR privacy policy.
Transfers between the UK and third countries
The UK government confirmed that organizations currently relying on standard contractual
clauses or binding corporate rules to transfer data from or to the UK will be able to continue such
transfer.
C. DPIA
The GDPR requires companies to carry out a Data Protection Impact Assessment
(‘DPIA’) before implementing certain data processing operations within their organization.
The Article 29 Working Party (the predecessor of the EDPB) published a set of
guidelines on DPIAs in 2017 (Guidelines WP 248). Since national SAs are required to establish
and make public a list of processing operations for which DPIA is mandatory (article 35(4)
GDPR), and encouraged to publish a list of operations exempted from DPIA (article 35(5)
GDPR), these guidelines aim at developing a common European frame for DPIA. In addition,
the opinions issued by the EDPB on these lists also participate to develop a uniform vision.
All of the 31 members of the EDPB (28 EU member states and Iceland, Liechtenstein,
and Norway) have already published a list of processing operations for which DPIA is
mandatory. Furthermore, France, Spain and Czech Republic have also drafted a list of processing
operations exempt from DPIA, but have not published these lists yet.
Requirement or exemption to carry out a DPIA
According to Article 35 of GDPR, this requirement applies where the processing
operation is “likely to result in a high risk to the rights and freedoms of natural persons”. The
EDPB established nine criteria used to determine whether a DPIA is required:
Evaluation or scoring;
Automated decision-making with legal or similar significant effect;
Systematic monitoring;
Sensitive data or data of a highly personal nature;
Data processed on a large scale;
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-8
Matching or combining datasets;
Data concerning vulnerable data subjects;
Innovative use or applying new technological or organizational solutions;
Preventing data subjects from exercising a right or using a service or contract.
The board considers that when two out of these nine criteria are met, a DPIA should be
conducted.
Even though disparities exist between the different national lists, implementing
technologies such as video surveillance, geolocation, and especially new technologies involving
profiling and/or handling sensitive data (like artificial intelligence or biometrics) will most likely
always have to be subject to a DPIA. Furthermore, any processing aimed at monitoring
employees should require a DPIA, since it meets two criteria of the EDPB guidelines: systematic
monitoring (criterion 3), and data concerning vulnerable data subjects (criterion 7).
Regarding employees’ personal data, the lists of France, UK and Spain all consider to be
likely to result in a high risk biometric processing, and profiling of individuals. Although, France
specifically refers to profiling for HR purposes including recruitment tools using algorithms, or
predictive analysis, the Spanish list refers to profiling including for the purpose of performance
at work without more precision. On the contrary, the list of the UK refers only to large-scale
profiling, without any mention of employees. The examples given (like IoT applications or
software offering fitness monitoring) seem to concern more consumers than employees.
Even though they all consider in general that the monitoring of employees require a
DPIA, and especially geolocation, they all differ in their wording: France is the only one to
mention expressly video surveillance and cyber surveillance, including such as Data Loss
Prevention, and the UK refers generally to “data processing at the workplace”.
Only Spain and UK mentions explicitly that the sole use of innovative technologies must
undergo a DPIA, and only UK cites AI.
Unlike Spain, France and UK both consider whistleblowing procedures to require a
DPIA.
The EDPB recently adopted, on 10 July 2019, its opinion on the draft lists of France,
Spain, and Czech Republic, regarding the processing operations exempt from DPIA. The French
SA (called ‘CNIL’) intended to exempt from DPIA “processing carried out solely for the
purpose of managing access controls and schedules, excluding any biometric device”. In its
opinion 13/2019, the EDPB considered that the CNIL should amend this provision so that
processing revealing sensitive data or data of a highly personal nature would not be exempt from
DPIA. Regarding access control, the advisory body recommended that only non-biometric
mechanisms be exempt from DPIA. Moreover, it recommended, regarding work schedules, that
be covered by the exemption only processing with the sole purpose of calculating working times.
In its opinion 11/2019, the EDPB recommended that the Czech SA removed from its draft list
the “processing involving the taking of footage by a camera installed on a vehicle”, which should
therefore be subject to DPIA.
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-9
2. Obligation to consult SA
According to Article 36 GDPR, when conducting a DPIA, a data controller must assess
the risks that the processing will have on the rights and freedoms of data subjects. Then, the data
controller must define measures to mitigate the identified risks and reduce them to an appropriate
level. If, even after the identification of measures, the risks to the rights and freedoms remain
high, the data controller has an obligation to consult the relevant SA, prior implementing the
processing.
3. Sanction
Failure to comply with these requirements can lead to an administrative fine of up to 10
million euros or 2% of total worldwide annual turnover, whichever is higher (article 83 (4)
GDPR).
On August 2019, the Swedish SA issued a fine of approximately 20,000 euros to a
municipality, which ran a facial recognition test in a school to assess students’ attendance.
Besides the unlawful process of biometric data, the school had failed to conduct properly a DPIA
and failed to consult the SA prior implementation.
IV. PHYSICAL AND ELECTRONIC SURVEILLANCE
Include social media and other cyber surveillance
In Europe, all data processing should rely on a legal basis. The EU does not consider the
consent given by employees as a genuine consent meaning that the employer cannot rely on it to
collect/process their personal data. Any cyber surveillance system will most likely have to be
necessary to protect the employer’s legitimate interests or to perform employment contracts.
Any kind of cyber surveillance will most likely meet at least two criteria of the list
established by the EDPB and thus require a DPIA to be carried out before its implementation.
Employers must also inform employees that any monitoring system will be implemented
within the firm. Some European countries, like France, also require employers to inform and
consult the Workers’ Council before implementing means and techniques used to monitor
employees’ activity.
1. Social Media
Regarding social media, the EDPB considers that the fact that the employee or job
candidate’s profile is public does not mean the employer is authorized to process freely the
personal data it contains. The employer should rely on a legal basis for that, like legitimate
interest.
Employers can collect and process data contained on a prospective employee’s profile on
LinkedIn for example, if the collection of those data is necessary and relevant to the performance
of the job offered. Before inspecting the profile of a prospective employee, the employer should
verify that the employee uses the social media for a professional purpose.
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-10
For current or former employees, employers should avoid screening their social media
profiles, unless they have a legitimate interest to do so. For example, an employer can inspect the
LinkedIn profiles of former employees if he can prove that it is the only mean available to verify
that they respect their non-compete clause.
2. Video surveillance
In addition of the opinion on data processing at work (opinion 2/2017) providing for
some guidance on video surveillance of employees, the EDPB recently published a set of
Guidelines regarding specifically the use of video surveillance (Guidelines 3/2019).
Except in rare situations where an employer asks employees to be filmed for a video
promoting the company for example, consent will never be the legal basis for video surveillance.
The only legal basis possible here is the legitimate interest of the employer. Monitoring
employees is considered a legitimate interest within the European Union, as long as the
employees’ interests or fundamental rights and freedoms do not override the pursuit of such
interest.
Again, carrying out a DPIA and providing employees with information is necessary.
Even if the employer has a legitimate interest to monitor employees through video
surveillance, such monitoring must not be excessive. This means that the CCTV cameras should
not directly record the employees but should point at entries or the companies’ property. The
French SA recently fined 20,000 euros a small business for excessive video surveillance. The
cameras were directly pointing at employees without interruption, who did not receive
appropriate information related to the monitoring system.
Video surveillance may reveal highly personal data and even special categories of data
(sexuality, political or religious beliefs, union trade membership…) about employees. Employers
cannot use video surveillance to identify special categories of data. For example, an employer
cannot use video surveillance footage of a strike to identify employees taking part in the
demonstration.
Employers must also be careful regarding storage limit. It is recommended to keep data
only a few days and in any event no longer than a month.
B. Geolocation
Since an employer can never rely on consent as a legal basis for monitoring employees or
implementing new technologies, the collect and process of geolocation data of employees should
rely on a legitimate interest of the employer.
Regarding geolocation, such data is considered very intrusive because it is likely to reveal
very sensitive aspects of the employee’s personality (sexuality, political or religious beliefs, trade
union membership…). Therefore, the data protection regulators stress out that geolocation data
should only be used as a “last resort”, when there is no other mean to reach the purpose.
The French Supreme Court ruled that “the use of a geolocation system to ensure working
time control, which is lawful only when such control cannot be carried out by any other means,
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-11
even if less effective than geolocation, is not justified when the employee has freedom in the
organization of his work” (for example itinerant sales representatives) (Cass., 19 December
2018, n°17-14.631).
The geolocation system must be designed as to allow employees to deactivate it when
they are not under the subordination of the employer (e.g. outside of their working hours and
during their break periods). It would also be illegal to geolocate staff representatives during their
delegation hours.
In any event, geolocation cannot be used to monitor and evaluate employees or to control
the respect of speed limits.
Of course, DPIA and information of employees are required too for geolocation systems.
C. Predictive Analysis
Predictive analysis software analyze personal data and their outcome to create patterns
and use these patterns to predict the future. Regarding Human Resources, using predictive
analysis on employees allows employers to predict who would leave the company, when and
why. With this information, measures can be taken (like promotion, or higher pay) to prevent
employees from quitting, and thus to avoid an expensive employee turnover.
Article 4(4) of GDPR defines this technology as Profiling: “any form of automated
processing of personal data consisting of the use of personal data to evaluate certain personal
aspects relating to a natural person, in particular to analyze or predict aspects concerning that
natural person's performance at work […], reliability, [or] behavior”.
Employees must be informed of the existence of profiling or automated decision-making
on them based on predictive analysis software. Article 22 gives employees the right to refuse to
be subject to profiling or automated decision-making unless the decision is necessary for
performance of his or her employment contract or is authorized by the EU or the concerned
Member state.
Like recruitment tools using AI and algorithms, employers implementing predictive
analysis systems must carry out a DPIA beforehand. Indeed, in the context of HR, predictive
analysis and recruitment tools aim at evaluating or scoring individuals (criterion 1) and involve
automated decision-making with legal or similar significant effect (criterion 2). In addition,
employees are considered vulnerable data subjects (criterion 7) and AI and algorithms are new
technological solutions (criterion 8). More than 2 criteria of the EDPB list apply, therefore a
DPIA will always be required before implementing predictive analysis solutions.
In the Guidelines on Automated individual decision-making and Profiling, the EDPB lists
different measures that employers should take to ensure appropriate safeguards. For example, the
EDPB recommends adopting the following good practices:
“regular quality assurance checks of their systems to make sure that individuals are
being treated fairly and not discriminated against”;
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-12
“algorithmic auditing […] to prove that they are actually performing as intended, and
not producing discriminatory, erroneous or unjustified results”;
“for independent ‘third party’ auditing […], provide the auditor with all necessary
information about how the algorithm or machine learning system works;”
“obtaining contractual assurances for third party algorithms that auditing and testing
has been carried out and the algorithm is compliant with agreed standards”;
“specific measures for data minimization to incorporate clear retention periods for
profiles and for any personal data used when creating or applying the profiles”;
“using anonymization or pseudonymisation techniques”;
“ways to allow the data subject to express his or her point of view and contest the
decision”;
“a mechanism for human intervention in defined cases, for example providing a link
to an appeals process at the point the automated decision is delivered to the data
subject, with agreed timescales for the review and a named contact point for any
queries”.
V. SCAM AVOIDANCE: INFO SECURITY BEST PRACTICES
In order to prevent data breaches, GDPR requires data controllers to “implement
appropriate technical and organizational measures to ensure a level of security appropriate to the
risk” for the rights and freedoms of data subjects (Article 32 GDPR). To be GDPR compliant, an
employer must guarantee the protection and confidentiality of employees’ personal data.
As mentioned in Article 32, technical measures refer for example to IT solutions such as
pseudonymisation and encryption of personal data. Organizational measures can include
determining who has access to personal data and to which extent, but also training employees
and raising their awareness on data security.
Many SAs, such as the CNIL and the ICO, have published comprehensive guidance to
help employers taking steps to ensure an appropriate level of security. When implementing new
technologies that can potentially result in high risk for the rights and freedoms of employees, the
CNIL recommends employers to adopt the following measures:
Pseudonymisation, which is a technique whereby a pseudonym replaces the name of
the employee to whom the data relates;
Data minimization;
Regular auditing of the systems;
Raising awareness of employees through information and IT charter;
Securing authentication of employees with unique logins and strong passwords;
Managing authorizations by defining who has access to what data;
Tracing accesses and managing incidents (logging system and data breach
notification procedure);
2019 CORPORATE LABOR AND EMPLOYMENT COUNSEL EXCLUSIVE
OGLETREE, DEAKINS, NASH, SMOAK & STEWART, P.C. 12-13
Securing workstations with automatic locking, antivirus software, and firewalls
Secure mobile computing through encryption, regular backups or synchronizations of
data;
Protecting the internal computer network;
Securing servers by limited access, installing updates without delay;
Securing websites by using TLS protocol and placing a consent banner on cookies
that are not required;
Backup and planning for continuity of activity;
Securing archiving;
Supervising maintenance and the destruction of the data;
Managing subcontracting through a specific clause in contracts, and ensuring
effectiveness of the guarantees provided;
Securing exchanges with other organizations especially through encryption;
Protecting the premises with restricted access, alarms, and locks;
Supervising IT developments with privacy-friendly settings;
Using cryptographic functions (recognized algorithms and software).
BIOMETRIC DATA
STATE LAW UPDATES – A SUMMARY _______________________________________________
Thomas E. Deer
I. Laws Governing the Use of Biometric Date1
Some states have laws specifically governing when and how biometric information may
be gathered, used and/or such information must be protected. These laws describe specific
requirements that employers must follow including, but not limited to, notifying employees that
biometric information will be gathered and implementing a policy protecting such biometric
information. The following summarizes these laws:
A. Illinois:
Illinois has a law that specifically governs the use of biometric information. Illinois’
Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) regulates the collection, use,
safeguarding, and storage of biometric information by private entities.
Under the BIPA, a private entity, including an employer, in possession of biometric
identifiers (which includes fingerprints, or scans of hand or facial geometry) or biometric
information must develop a written policy, posted and available to the public, in the entity’s place
of business, establishing a retention schedule and guidelines for permanently destroying biometric
identifiers and biometric information when the initial purpose for collecting or obtaining such
identifiers or information has been satisfied or within three (3) years of the individual’s last
business dealings with the entity – an employee’s resignation, for example – whichever occurs
first.
Before obtaining biometric information, an entity must first: (i) inform the individual (or a
legally authorized representative) that his or her biometric information is to be collected; (ii)
indicate the purpose for collecting the biometric information and the length of time for which it is
to be collected, stored, and used; and (iii) receive a written release from the individual. The term
“written release” is defined in the Act, and specifically includes “in the context of employment, a
release executed by an employee as a condition of employment.” Once collected, biometric
information may not be sold, leased, or traded. It also may not be disclosed or disseminated unless
the individual who is the subject of the biometric information consents; the disclosure completes
1 Two other areas that are worth a mention are (i) accommodating religious beliefs, and (ii) Genetic Information
Nondiscrimination Act (GINA). Various federal, state, and local laws impose a duty to accommodate religious beliefs.
The biometric finger-scanning device is considered, by some, to be a mark that is prohibited by their religious beliefs,
and there are several instances where employers were required to make accommodations due to the conflict with those
religious beliefs. The next area involves federal, state, and local laws limiting the collection of, and prohibiting
discrimination on the basis of, medical information, such as the Americans with Disabilities Act and the Genetic
Information Nondiscrimination Act (GINA). Fingerprints are not typically considered medical information, but other
biometric data might be.
2
a financial transaction requested or authorized by the individual; the disclosure is required by
federal or state law; or the disclosure is required pursuant to a valid warrant or subpoena.
An entity that possesses biometric information must store, transmit, and protect the
information from disclosure using a standard of care that is reasonable within the private entity's
industry, and a method that is the same as or more protective than the manner in which the entity
stores, transmits, and protects other confidential and sensitive information that is used to uniquely
identify an individual, such as account numbers, PIN numbers, driver’s license numbers, or social
security numbers. To summarize, the BIPA requires companies to have both a biometric policy
and consent form, which should be signed prior to use of biometric time clocks or other biometric
equipment. The policy and consent need to address multiple issues in the BIPA such as notice,
collection, use, storage and destruction of the biometric identifiers.
The Act gives a private right of action to aggrieved individuals to sue companies not in
compliance with the BIPA for liquidated damages of $1,000 or $5,000 per violation, actual
damages, injunctive relief and attorney’s fees. In recent years, the requirements of the BIPA have
become fertile ground for class action lawsuits.
B. New York:
New York Labor Law prohibits private employers from requiring employees to be
fingerprinted as a condition of employment or continued employment, unless otherwise required
by law. Section 201-a of the New York Labor Law states:
Except as otherwise provided by law, no person, as a condition of securing
employment or of continuing employment, shall be required to be fingerprinted.
This provision shall not apply to employees of the state or any municipal
subdivisions or departments thereof, or to the employees of legally incorporated
hospitals, supported in whole or in part by public funds or private endowment, or
to the employees of medical colleges affiliated with such hospitals or to employees
of private proprietary hospitals.
Thus, with limited exceptions, Section 201-a prohibits private employers from requiring
employees to be fingerprinted as a condition of securing or continuing employment. Enacted in
1937, the purpose behind the legislation “clearly was to prevent private employers from using
fingerprinting as a means for blacklisting union leaders and members.” Friedman v. Valentine, 177
Misc. 437, 442, 30 N.Y.S.2d 891, 896 (Sup. Ct., NY Cty. November 10, 1941) aff’d 266 A.D. 561,
42 N.Y.S.2d 593 (N.Y. App. Div. 1943).
Although enacted for the reason suggested above, several companies have sought opinions
from the New York State Department of Labor (“NYSDOL”) as to whether the use of a biometric
device in a time clock violates Section 201-a. As it turns out, the NYSDOL interprets Section 201-
a as prohibiting employers from requiring employees be fingerprinted for timekeeping purposes
and it does not matter that the time clock does not actually store the employees’ fingerprints.
According to the NYSDOL simply interpreting the fingerprint was enough to violate the Labor
Law’s protections. Under the NYSDOL’s guidance, requiring the use of a finger-scanning
biometric time clock or similar devices would violate Section 201-a. But, there are limited
exceptions: (i) Employees required by law to be fingerprinted (e.g., teachers) may be required to
use a biometric time clock for timekeeping purposes, regardless of whether the device interprets
3
the employee’s fingerprints; (ii) Time clocks that “measure the geometry of the hand” are
permissible so long as they do not scan the surface details of the hand and fingers in a manner
similar or comparable to the scanning of a fingerprint; and (iii) Voluntary use of a finger-scanning
biometric device is permissible. (Note: employers may not take any adverse employment action
against employees who forego fingerprinting, or otherwise coerce employees to use the biometric
device.) See NYSDOL Opinion Letters RO-10-0024 (April 22, 2010), RO-08-0029 (August 14,
2008) and RO-08-0091 (August 26, 2008).
Thus, under the NYSDOL’s guidance, requiring the use of a finger-scanning biometric
time clock or similar devices would violate Section 201-a. But, there are limited exceptions: (i)
Employees required by law to be fingerprinted (e.g., teachers) may be required to use a biometric
time clock for timekeeping purposes, regardless of whether the device interprets the employee’s
fingerprints; (ii) Time clocks that “measure the geometry of the hand” are permissible so long as
they do not scan the surface details of the hand and fingers in a manner similar or comparable to
the scanning of a fingerprint; and (iii) Voluntary use of a finger-scanning biometric device is
permissible. (Note: employers may not take any adverse employment action against employees
who forego fingerprinting, or otherwise coerce employees to use the biometric device.)
While the NYSDOL’s opinion on this issue is clear, no New York court has weighed-in on
the use of finger-scanning devices as a timekeeping method. The weight of New York case law,
however, favors deference to the NYSDOL and its opinions. Thus, while the Courts have not
weighed in on the use of biometric devices and Section 201-a, the NYSDOL’s position on this is
clear – the use of biometric finger scanning that uses anything other than a scan of finger geometry
is prohibited and it is probable that Courts will defer to the NYSDOL’s interpretive guidance.
In addition to its law addressing the use of fingerprints, New York also prohibits an
employer from publicly posting an employee’s “personal identifying information,” which includes
Social Security number, home address or telephone number, email address, Internet identification
name or password, parent’s surname and drivers’ license number. Although the definition of
“personal identifying information” does not yet include personal identifiers such as biometric data,
safeguarding such data is a good business practice.
C. Texas:
Under Texas law, a person may not capture biometric information for commercial purposes
unless it informs the individual beforehand and obtains the individual’s consent. TEX. BUS. & COM.
CODE § 503.001(b). A person who possesses biometric identifiers that are captured for commercial
purposes may not sell, lease, or disclose biometric information unless: the individual consents to
disclosure for purposes of identification in the event of his or her disappearance or death; the
disclosure completes a financial transaction the individual requested or authorized; the disclosure
is required or permitted under federal or state law, or the disclosure is made to law enforcement in
response to a warrant. See TEX. BUS. & COM. CODE § 503.001(c).
In addition, the person who possesses a biometric identifier must store the information
using reasonable care in a manner that is the same or more protective than how it stores other
confidential information, and it must destroy the information no later than the first anniversary of
the date the purpose for collecting the information expires. A business must implement and
maintain reasonable procedures, including taking any appropriate corrective action, to protect from
unlawful use or disclosure any sensitive personal information collected or maintained by the
4
business in the regular course of business. Personal information includes unique biometric data
and social security numbers.
Washington does not provide for a private cause of action under the statute, but instead
chares its Attorney General with responsibility for enforcement. TEX. BUS. & COM. CODE §
503.001(d).
D. Washington
This year, the state of Washington became the third state to enact a law specifically
addressing the use of biometric information. In the new law, the state provides that it “intends to
require a business that collects and can attribute biometric data to a specific uniquely identified
individual to disclose how it uses that biometric data, and provide notice to and obtain consent
from an individual before enrolling or changing the use of that individual’s biometric identifiers
in a database.”
The law provides that “a person may not enroll a biometric identifier in a database for a
commercial purpose, without first providing notice, obtaining consent, or providing a mechanism
to prevent the subsequent use of a biometric identifier for a commercial purpose.” WASH. REV.
CODE § 19.375.020. The law requires that a “person who knowingly possesses a biometric
identifier of an individual that has been enrolled for a commercial purpose” must take “reasonable
care “to guard against unauthorized access and may retain the information no longer than is
reasonably necessary. Id.
Washington does not provide for a private cause of action under the statute, but instead
charges its Attorney General with responsibility for enforcement. WASH. REV. CODE § 19.375.030.
E. Virginia:
Virginia does not have a statute governing the use of biometric data, but it does have a
statute governing fingerprints. Specifically, VA. CODE § 59.1-478, requires the return or
destruction of fingerprints required for any transaction within 21 days after the transaction is
completed, unless the parties agree otherwise.
F. California
California does not have a biometric law and employers in California are allowed to obtain
fingerprints from employees.
However, in a quirky provision, California law makes it a criminal misdemeanor for
employers to share employee fingerprints with “any other employer or third person.” CAL. LABOR
CODE § 1051. In addition, any person who “knowingly causes” the employer to share employee
fingerprints with a third party is also guilty of a criminal misdemeanor. Id. § 1052. In addition to
criminal penalties, the statute also provides for treble damages in a civil suit. Id. § 1054. While it
is difficult to imagine this situation arising, employers should be mindful that it does not share
employee fingerprints with clients or obtain copies of those fingerprints from clients throughout
this process.
40146560.1
Ark
an
sas
Ca
lifo
rnia
Illi
no
is
Ma
ine
Mar
yla
nd
Ma
ssac
hu
sett
s
Nev
ad
a
New
Yo
rk
Ne
w J
erse
y
Ore
gon
Tex
as
Wa
shin
gto
n
Effective Date 9-Aug-191/1/2020 (amendments
pending approval)1-Jan-20 1-Jul-20 Oct. 1, 2019 1-Oct-19 11-Apr-19 Oct 1, 2019 25-Jul-19 1-Sep-19 Jan-20 1-Jan-20 1-Mar-20
Title of Statute
To Amend The Personal
Information Protection
Act; And To Revise The
Definition Of "personal
Information" In The
Personal Information
Protection Act
The California Consumer
Privacy Act of 2018 (CCPA)
(W-015-6908)
Personal
Information
Protection Act
The Act to Protect
the Privacy of
Online Consumer
Information
Maryland
Personal
Information
Protection Act
- Security
Breach
Notification
Requirements
-
Modifications
Interception of
Oral
Communication
–Law
Enforcement
Officer
An Act
Relative to
Consumer
Protection
from Security
Breaches
Stop Hacks
and Improve
Electronic
Data Security
Act -
Amendments
NJ S52
Oregon
Consumer
Information
Protection Act
Texas Identity
Theft
Enforcement
and
Protection Act
-
Amendments
Washington House Bill
1071
Statute Citation HB 1943
Cal. Civ. Code §§ 1798.100 -
1798.199
Personal
Information
Protection Act
(2013) (amended
2019)
The Act to Protect
the Privacy of
Online Consumer
Information, §
9301 (2019)
MD Comm. L.
Code § 14-
3504 (2015)
(amended
2019)
Interception of
Oral
Communication -
Law Enforcement
Officer (2019)
An Act
Relative to
Consumer
Protection
from Security
Breaches
(2019)BDR 52-920
Stop Hacks
and Improve
Electronic
Data Security
Act (SHIELD
Act) (2019). P.L. 2019, c.95
Oregon
Consumer
Information
Protection Act
(2019)
Texas Identity
Theft
Enforcement
and
Protection Act
(2009)
(amended
2019) C 241 L 19
Summary of Statute
Revises Arkansas Code
section 4-110-103(7) to
include biometric data in
the definition of
“personal information.”
Requires that, in the
event of a security
breach which affects the
personal information of
more than 1,000
individuals, a
notification of the breach
must now also be made
to the Attorney General.
Recent modifications
include: AB 25 (Employee
Personal Information
Exemption) - employee
personal information would
be excluded from many of
the CCPA’s requirements.
AB 874 (Publicly Available
Information Exception) -
removes a limitation on the
“publicly available
information” exception to
the definition of personal
information. If signed into
law, publicly available
information will be defined
as “information that is
lawfully made available
from federal, state, or local
government”. •AB 1146
(Vehicle Information
Exemption): AB 1146
exempts from a consumer’s
Amendment
requiring
notification to the
Attorney General if
a security breach
affects 500+ IL
residents. Must
provide AG with a
description of the
breach, the number
of affected
residents, and
details of any steps
taken related to the
incident.
Requires ISPs to
obtain opt-in
consent prior to,
“using, disclosing,
selling or
permitting access
to [a consumer’s]
prohibited
personal
information.”
Expands
scope of
covered
businesses,
including
businesses
that own,
license, or
maintain
personal
information
of MD
residents.
Prohibits
business
liable for
breach from
using
information
"relative to a
breach" for
purposes
other than (1)
Subject to certain
exceptions, it is
unlawful under
Maryland law to
intercept an oral
communication
without the
consent of all
parties to the
communication.
One of the
exceptions applies
to a law
enforcement
officer who
intercepts an oral
communication
through a
recording device,
including a body
camera, in the
course of the
officer’s regular
Requires
businesses to
offer
complimentar
y credit
monitoring
for 18 months
if a breach
involves a
resident’s
SSN. Breach
notifications
are to be
provided on a
rolling basis
to avoid
delay; and, if
the exposed
data is owned
by a third
party, then
notice must
identify that
Amends the state’s
existing online
privacy law for
owners and
operators of
Internet websites or
online commercial
providers. Prohibits
sale of certain
consumer
information by an
operator of an
Internet website or
online service upon
customer request
(“opt-out of sale”
option for
consumers).
Redefines
“operator” to
exclude certain
entities, like
financial institutions.
Expands
security
breach
protection to
the following
categories: (1)
biometric
data, (2)
account
numbers and
credit or debit
card numbers
without a
security code,
and (3)
usernames,
addresses,
passwords,
and security
questions and
answers.
Businesses
Expands the
definition of
“personal
information”
to include
usernames,
addresses,
passwords,
and security
questions and
answers
affiliated with
an individual’s
online
account. If a
breach
occurs,
businesses
are required
to notify
affected NJ
residents
Extends
certain data
breach
notification
requirements
to vendors.
Vendors must
now notify
any
contracted
“covered
entity” within
10-days of
discovering a
breach of
security, as
well as the
Attorney
General, if the
breach
involves more
than 250
consumers or
Requires
businesses to
send breach
notifications
(1) to affected
individuals
without
“unreasonabl
e delay,” but
no later than
60-days after
identifying
such breach,
and (2) to the
Texas
Attorney
General
within 60-
days of
identifying
the breach,
provided that
the breach
The definition of “personal
information” is expanded
to include the following
categories: birthdate;
unique private keys for
signing electronic records;
student, military, or
password identification
numbers; medical
information; biometric
information; and online
login credentials.
Businesses may send
breach notifications by
email, unless the breach
involves the credentials
associated with that email
account. If the breach
affects 500+ residents,
then the entity must
provide notice to the
Attorney General,
identifying the type of
Notes Revises existing law Amendments Amendment - SB
1624; 815 ILCS 530LD 946
Amendment -
HB 1154
HB552 (Chapter
521)HB 4806 S.B. 220 S5575B
Amendment -
SB 684;
formerly the
“Oregon
Consumer
Identity Theft
Protection
Act” HB 4390
NOTICE OF PERSONAL
INFORMATION DATA
BREACHES--VARIOUS
PROVISIONS
U.S. State Privacy Law Tracker
1
Scans, Surveillance, and Scams—Top Privacy DevelopmentsPresented by
Cécile Martin (Paris)Danielle Vanderzanden (Boston/Portland (ME))
Moderated by
Thomas E. Deer (Chicago/Indianapolis)
I. Technology-Driven Hiring
II. Biometric Information Privacy
III. International Data Protection Law Update
IV. U.S. Data Protection Laws
V. Physical and Electronic Surveillance
VI. Scam Avoidance
2
Technology-Driven Hiring – Uses
Identifying new candidates
Automating contact with candidates
Searching existing candidate pool for new roles
Engaging current employees as referrals
Technology-Driven Hiring – Uses (cont.)
Natural language processing of applications
– Classify and rank resumes
– Identify anomalies (e.g., gaps in record, inaccuracy)
Predictive coding/ranking of resumes
Conducting interviews
– Video conference
– Facial recognition/analysis
3
Technology-Driven Hiring – Risks
Risks related to machine learning
Disparate impact discrimination
Technology-Driven Hiring – GDPR Requirements
Legal basis: pursuit of legitimate interest or consent
Necessity to carry out a DPIA
Providing candidates with information of recruitment techniques and processing
Data minimization – limited storage time
4
I. Technology-Driven Hiring
II. Biometric Information Privacy
III. International Data Protection Law Update
IV. U.S. Data Protection Laws
V. Physical and Electronic Surveillance
VI. Scam Avoidance
Biometric Information Privacy
Illinois, Texas, and Washington State laws
Many other states considering BIP laws
– Alaska, California, Idaho, Massachusetts, Michigan, Montana, New Hampshire, and New York
5
Biometric Information Privacy (cont.)
Biometric information is biologically unique to the individual
– Facial scan
– Iris/retina
– Fingerprints
– Voiceprint
– Hand scan
Overview: The Statute
740 ILCS 14/1 et seq., Illinois Biometric Information Privacy Act (“BIPA”)
Enacted in 2008
Purpose: to give individuals notice about their “biometric identifiers” are going to be captured, used, stored, and destroyed, in order to assure them that their “biometric information” will be not stolen, sold, or misused
6
Overview: The Statute (cont.)
Important definitions– Private Entity: any individual, partnership, corporation,
limited liability company, association, or other group, however organized
• Defined broadly, and will likely affect most clients
– Biometric identifier: a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry
– Biometric information: any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual
Compliance: Employer Obligations
Develop a written policy (*made available to the public), establishing a retention schedule and guidelines for permanently destroying biometric identifiers/information
7
Compliance: Employer Obligations (cont.)
May not collect unless it first:– Informs the individual in writing that a biometric identifier or
biometric information is being collected or stored;
– Informs the individual in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
– Receives a written release executed by the individual
• Note: “written release” means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment
Employer Obligations (cont.)
May not sell, lease, trade, or profit from biometric identifier or biometric information
May not disclose, re-disclose, or disseminate unless:– The individual consents;
– The disclosure or re-disclosure completes a financial transaction requested or authorized by the individual;
– The disclosure or re-disclosure is required by state or federal law or municipal ordinance; or
– The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
8
Employer Obligations (cont.)
If in possession, the employer must:– Store, transmit, and protect from disclosure all biometric
identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Biometric Information Privacy – GDPR Requirements
Article 9: Prohibition to collect and process special categories of data including biometric data unless exceptions – employment may be an exception
Domestic rules regarding biometric data
France: the CNIL enacted a Model Regulation
9
Biometric Information Privacy – GDPR Requirements
CNIL Model Regulation: Only used for controlling access of buildings or computer
devices
Prohibition to use data requiring biological sampling (blood, saliva, etc.)
Demonstration of strict necessity to use biometric data
Limited list of data that can be collected
Limited list of person that can access the data
DPIA
Technical and organizational measures to ensure security
I. Technology-Driven Hiring
II. Biometric Information Privacy
III. International Data Protection Law Update
IV. U.S. Data Protection Laws
V. Physical and Electronic Surveillance
VI. Scam Avoidance
10
1. Privacy Shield
2. GDPR Update
3. Data Protection Impact Assessment (DPIA)
CJUE case C-311/18: Schrems II (ruling pending) Privacy shield and standard contractual clauses are challenged
and may be invalidated by the Court Position of the EDPB: “it is for SAs, in particular on the basis of a
complaint, to assess whether the continuity of the protection afforded by Union law is ensured once the data were transferred, including whether the exporter and importer complied with their obligations under the SCCs. If not, SAs may suspend transfers.”
CJUE case T-738/16: LQDN Privacy Shield also challenged Ruling postponed to wait for the Court to rule in Schrems II
11
1. Privacy Shield
2. GDPR Update
3. Data Protection Impact Assessment (DPIA)
Article 32: Security measures Fines of up to 10M euros or 2% of total worldwide annual turnover
ICO: Intention to fine an airline company 200M euros: Scam directing customers
to a fake website Intention to fine a company 110M euros: data of 300M customers exposed
CNIL: Two companies fined 180,000 and 400,000 euros: websites not secure;
allowing customers to access other customers’ personal files
Fines also issued by Poland (645,000 euros) and Romania (3,000 and 15,000 euros)
12
Brexit
Expected date: 31 October 2019
In case of a no-deal Brexit: Transfers from the EEA to the UK: Necessity to use appropriate
safeguards: SCCs, BCRs, codes of conduct or certification mechanisms
Adequacy decision should be adopted eventually
Transfers between UK and U.S.: Necessity for companies to update public commitment to comply with Privacy Shield so that it extends to personal data flow from the UK
Transfers between UK and third countries: SCCs and BCRs currently in place should remain applicable
1. Privacy Shield
2. GDPR Update
3. Data Protection Impact Assessment (DPIA)
13
Article 35 GDPR EDPB Guidelines National lists of processing operations for which
DPIA is mandatory: all of the 31 members of the EDPB have published a list National lists of processing operations exempted
from DPIA: only France, Spain, and Czech Republic have drafted a list
Requirement to carry out a DPIA for processing operations “likely to result in a high risk to the rights and freedoms of natural persons”
EDPB: if 2 out of 9 criteria are met DPIA necessary1. Evaluation or scoring2. Automated decision-making with legal or similar significant effect3. Systematic monitoring4. Sensitive data or data of a highly personal nature5. Data processed on a large scale6. Matching or combining datasets7. Data concerning vulnerable data subjects8. Innovative use or applying new technological or organizational solutions9. Preventing data subjects from exercising a right or using a service or contract
14
Obligation to consult SA Article 36 GDPR The employer must define measures to mitigate the identified
risks and reduce them to an appropriate level. If, even after the identification of measures, the risks to the rights and freedoms remain high, the data controller has an obligation to consult the relevant SA, prior to implementing the processing.
Sanction Failure to carry out DPIA or to consult SA: 10M euros or 2%
worldwide turnover Sweden: Facial recognition used in school: fine of 20,000 euros
(unlawful processing of biometric data + failure to conduct DPIA and consult Swedish SA)
I. Technology-Driven Hiring
II. Biometric Information Privacy
III. International Data Protection Law Update
IV. U.S. Data Protection Laws
V. Physical and Electronic Surveillance
VI. Scam Avoidance
15
U.S. Data Protection Laws
Duty allegations
– Design, maintain, and test security system
– Implement breach-detection processes
– Timely act on system alerts and warnings
– Maintain industry standard data security measures
U.S. Data Protection Laws (cont.)
Examples of conduct alleged to be negligent
– Mailing PII in window envelopes
– Leaving private encryption keys on server
– Website permitting hackers to send dangerous links to customers
– Inadequate vendor controls
– Failure to rectify inadequate safeguards
16
U.S. Data Protection Laws (cont.)
Still no federal umbrella
– FTC Unfair and Deceptive Trade Practices
State patchwork continues to evolve
– California Consumer Privacy Act (CCPA)
– Nevada Internet Privacy Act
– Maine
– Cities (e.g., San Jose CA Privacy Principles)
U.S. Data Protection Laws (cont.)
Litigation risks and theories are expanding
– Invasion of privacy claims
– Negligence theory • Duty to protect personal information
• Duty to implement and maintain reasonable security measures
17
I. Technology-Driven Hiring
II. Biometric Information Privacy
III. International Data Protection Law Update
IV. U.S. Data Protection Laws
V. Physical and Electronic Surveillance
VI. Scam Avoidance
Physical and Electronic Surveillance
Computer monitoring– Electronic Communications Privacy Act
– Stored Communications Act
Telephone and voice mail monitoring– Federal Wiretap Act
– State wiretap laws
Internet usage tracking
Video surveillance
18
Physical and Electronic Surveillance
GPS tracking
Driver analytics
Off-duty conduct
Social media usage
Employee searches
Physical and Electronic Surveillance –GDPR Requirements
General conditions:
Legal basis: consent cannot be used; only legitimate interest or necessity to perform contracts
DPIA
Information of employees prior to implementation
Some countries also require information and consultation of Workers’ Council
19
Physical and Electronic Surveillance –GDPR Requirements Social Media
– Legal basis: legitimate interest for example
– Only if used for a professional purpose by the employee
Video Surveillance– Legal basis: legitimate interest as long as employees’ interests or
fundamental rights and freedoms do not override the pursuit of such interest
– DPIA
– Must not be excessive CNIL fined a company 20,000 euros for excessive video surveillance
– Cannot be used to identify special categories of data
– Carefulness with storage time: usually only a few days and in any event no longer than a month
Physical and Electronic Surveillance –GDPR Requirements
Geolocation
DPIA and Legal basis: legitimate interest
Should only be used as a ‘last resort’
French Supreme Court: “the use of a geolocation system to ensure working time control, which is lawful only when such control cannot be carried out by any other means, even if less effective than geolocation, is not justified when the employee has freedom in the organization of his work” (Cass., 19 December 2018, n°17-14.631)
Must allow employees to deactivate it during break periods
Illegal to geolocate staff representatives during delegation hours
Can never be used to monitor and evaluate employees or to control respect of speed limits
20
Physical and Electronic Surveillance –GDPR Requirements
Predictive Analysis Article 4 GPDR defines profiling as “any form of automated
processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, reliability, [or] behavior”
Article 22 GDPR: right to refuse profiling or automated decision-making unless necessary for performance of employment contract
I. Technology-Driven Hiring
II. Biometric Information Privacy
III. International Data Protection Law update
IV. U.S. Data Protection Laws
V. Physical and Electronic Surveillance
VI. Scam Avoidance
21
Scam Avoidance – GDPR Requirements
Article 32 GDPR: Obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the rights and freedoms of data subjects
CNIL guidance on security:
Pseudonymisation
Data minimization
Regular auditing
Encryption
Securing websites, servers, and workstations
Etc.
Scans, Surveillance, and Scams—Top Privacy DevelopmentsPresented by
Cécile Martin (Paris)Danielle Vanderzanden (Boston/Portland (ME))
Moderated by
Thomas E. Deer (Chicago/Indianapolis)
�omas E. DeerShareholder || Chicago, Indianapolis
Mr. Deer is currently serving his second term as a member of the Firm’s
Board of Directors. Mr. Deer represents management in a varie� of
employment-related ma�ers, including litigation involving age, race, sex,
and disabili� discrimination claims, covenants not to compete, trade
secrets, wage and hour claims, ERISA claims, and other workplace
torts. Mr. Deer has a national employment practice, and has defended
cases for employers from coast to coast. Mr. Deer also serves as the
relationship partner for a number of the firm’s national clients. In that
role, he manages an Ogletree Deakins team to service the client’s labor
and employment needs across a number of jurisdictions. Mr. Deer has
particular industry experience in the retail, financial, sta�ng, and higher
education industries. Since ����, Mr. Deer has been named in every
edition of �e Best Lawyers in America.
Mr. Deer has acted as lead trial counsel in employment
discrimination/wrongful discharge and non-compete cases in federal
district and state courts. At one jury trial, Mr. Deer’s client received a
defense verdict of no liabili� on a novel “gender plus” legal theory. In
another, Mr. Deer’s client received a directed verdict on liabili�.
Mr. Deer also practices traditional labor law. His labor experience
includes bargaining contracts, handling labor arbitrations, grievance
administration, and the defense of unfair labor practice charges before
the NLRB.
Mr. Deer is a frequent speaker and author. He has been a speaker and
moderator at American Bar Association meetings, including twice at the
ABA’s Annual Meeting. He regularly performs training for clients on all
aspects of labor and employment law.
Cécile Martin
Managing Partner || Paris
Cécile Martin is the Managing Partner of the Ogletree Deakins Paris
o�ce and is a co-chair of the firm’s Mergers and Acquisitions practice
group. She advises clients on compensation policies (including material
risk takers), discrimination and harassment litigation, corporate
restructuring, mass redundancies plans as well as collective litigation.
By starting her career at the French Data Protection Agency (CNIL),
Cecile has developed leading edge skills particularly on topics related to
GDPR employee monitoring at the workplace, whistleblowing alerts,
social media use and international data transfer.
Cécile has been a member of the European Advisory Board of the
International Association of Privacy Professionals (IAPP) since ����
and is also a member of the firm’s International and Data Privacy
practice groups. She was ranked in ���� and ���� “Next Generation
Lawyer” by Legal ��� and “Up-and-Coming” by Chambers. She lectures
on data protection law at Paris La Sorbonne Universi� and regularly
provides training to companies regarding the compliance with the
GDPR.
Cécile speaks French and English.
Danielle Vanderzanden
Shareholder || Boston, Portland (ME)
Ms. Vanderzanden is a Shareholder in the Boston and Portland (ME)
o�ces, and Co-Chair of the firm’s Data Privacy Practice Group. She
specializes in the areas of privacy, restrictive covenant, wage and hour,
discrimination and labor and employment litigation and counseling.
She devotes her practice to helping employers with employment-related
disputes, conducting investigations and providing counsel to clients
seeking to reduce their potential for liabili� to their employees and third
parties. She has personally conducted dozens of investigations,
including investigations involving employee allegations of misconduct
by company executives and systemic discrimination.
She is CIPP/US certified by the International Association of Privacy
Professionals and provides advice regarding cybersecuri� and privacy
ma�ers, including applicable state, federal and multi-national privacy
and information securi� requirements. For nearly ten years, she has
provided clients with advice regarding wri�en information securi�
policies and all aspects of data breach remediation, response and
notification. She has counseled dozens of clients through the process of
complying with a myriad of data breach notification requirements
among the �� United States and in a varie� of multi-national data
breach scenarios. She routinely helps clients navigate the choppy waters
churned by the challenges of social networking sites, the Internet of
�ings and related technological developments. In ����, the National Law
Journal selected Ms. Vanderzanden for inclusion on its inaugural list of
“Cybersecuri� & Data Privacy Trailblazers.”
She has successfully represented clients in numerous cases involving
restrictive covenants and intellectual proper� disputes and claims for
ERISA benefits and executive compensation. She has defended single
plainti� and class and collective action wage and hour disputes
(including, but not limited to, claims under the Fair Labor Standards Act,
the Massachuse�s Wage Payment Law and the Massachuse�s Tip
Pooling Statute); sex, race, age, religion and disabili� discrimination
and/or harassment claims; and tort and retaliation ma�ers. She has
many years of experience defending clients against privacy-related
claims, and she regularly helps clients develop policies, practices,
protocols, training programs, audits and remedial measures to diminish
the risks associated with information securi� breaches.
Ms. Vanderzanden regularly speaks before industry groups and legal
organizations and at conferences, roundtables, webinars and seminars.
She also provides internal training programs on topics such as data
privacy and securi� compliance, conducting e�ective internal
investigations, protecting intellectual proper� and human resource
assets, complying with applicable wage and anti-discrimination laws.
She is an e�ective trial lawyer who has tried over �� cases by herself or
as first chair and has managed and resolved or taken to hearing dozens
of employment arbitrations.
In addition to many years of experience litigating in the U.S. Court of
Appeals, First and Second Circuits, and in the state and federal courts in
Massachuse�s, Maine, New Hampshire and Vermont, she also has
represented numerous clients in arbitrations before the AAA, NASD,
and FINRA.
Comments of others, particularly clients, best describe Ms.
Vanderzanden’s legal skills. �e ���� Chambers and Partners Client
Guide notes that clients say that she “hones in on the issues with a
laser-like focus and is creative in how she makes her points.” �e same
Guide described her as “incredibly talented, very quick on her feet and
very good strategically.” In its ���� Client Guide, Chambers described
Ms. Vanderzanden as providing “immediate, practical and
comprehensive advice in all areas of employment law.” And, the ����
Client Guide reported that she “is praised for her outstanding work in
noncompete and wage and hour claims.”