Implementation status and background to the directive
The European Whistleblowing Directive (WBD) was supposed to be implemented by the European Union’s 27 member states by no later than December 17, 2021, impacting employers with operations in those jurisdictions.
One year on from this deadline, despite the European Commission (EC) commencing infringement procedures against those countries
In less than two months, on January 1, 2023, the California Consumer Privacy Act (CCPA) as revised by the California Privacy Rights Act (CPRA) will take effect fully in the job applicant and employment context.
And with respect to job applicants and personnel, businesses subject to the CCPA will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. See also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.
1. Review contracts with parties to whom you disclose personal information about applicants and personnel. The CCPA prescribes certain types of clauses that have to appear in agreements between parties exchanging personal information, and you will have to include certain data processing clauses if you do not want to be considered to be “selling” (which the CCPA defines to mean disclosing in exchange for monetary or valuable consideration) or “sharing” (which the CCPA defines to mean disclosing for the purposes of cross-context behavioral advertising) personal information and offer related opt-out processes. It is not practical for employers to offer opt-out rights in most scenarios, due to the CCPA’s non -discrimination requirements. The CCPA regulations, which are currently being revised by the California Privacy Protection Agency (latest draft as of this publication is available here), include additional requirements. Businesses should continue to update such contracts with parties it discloses personal information to.
2. Prepare/revise notices at collection and include HR data in your online CCPA Privacy Policy. At collection notices in the employment context have been required under the CCPA since 2020, but new specific disclosure requirements apply from January 1, 2023. Your comprehensive online CCPA privacy policy will also have to reflect your processing of HR data. You should consider updating/preparing a privacy notice at collection that is specific to the CCPA and separate from any privacy notice you might use to address privacy laws in other jurisdictions, since California laws establish increasingly unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions (from January 1, 2023, businesses must use specific terms from the CCPA to describe categories of personal information in all notices at collection). At the same time, you have to be mindful of setting or negating privacy expectations. If you issue privacy notices to job applicants and personnel that merely address CCPA disclosure requirements, the recipients of such notices may develop privacy expectations that could later hinder you in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives.
Continue Reading California Privacy Law Action Items for Employers
Many thanks to our data privacy colleague, Helena Engfeldt, for co-authoring this article.
Many organizations are proactively advancing diversity and inclusion goals globally to include a focus on recruitment and employee-directed initiatives. These efforts are consistent with organizational values and business goals, even in cases where diversity data collection may have the
Special thanks to Lothar Determann, Helena Engfeldt, Jonathan Tam, Andrea Tovar, and Vivian Tse.
2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023 with a twelve-month look-back that also applies to the personal
In brief
As the COVID-19 pandemic stretched across the globe, companies shifted to remote working environments and many reduced staff, all without much of an opportunity to prepare. The past two months have presented a serious threat to data security, including the most vulnerable financial data, personal data of employees and customers, and trade secrets. These risks cut across all sectors — financial services, industrial manufacturers, health care, and professional services. Recent experience confirms that an effective information security strategy should target these most-common threats: phishing, data sprawl, and employee mobility/redundancies.
How to Protect Your Company
Take a holistic approach to threat mitigation and data loss prevention in the face of increased risks. Such an approach must account for data protection, intellectual property (including trade secrets), and employment law. Here are the action items in these uncertain times to help address and mitigate the legal and regulatory risks:
(With thanks to Lois Rodriguez from our Madrid office for preparing this post in collaboration with Yana Komsitsky.)
Before conducting workplace surveillance, employers who want to monitor their workplaces, even if they suspect their employees of stealing or other nefarious activity, should heed the recent European Court of Human Rights (ECHR) judgement in the case of Lopez Ribalda and others v. Spain.
In early January, the ECHR held in favor of five supermarket chain employees who had been dismissed after they were caught stealing on hidden cameras because the cameras had intruded on their right to respect for private and family life.
