The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided  by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

February 24th, 2016|Educational Series, European Union, Guidence|

CFPB publishes annual guide about consumer reporting agencies

Every year, the Consumer Financial Protection Bureau (the “CFPB”) updates and publishes a guide to consumer reporting companies, The guide includes information in connection with requesting a consumer report from the three largest nationwide consumer reporting companies and dozens of specialty reporting companies, tips regarding specialty reports, updated information about authentication of identity when requesting a consumer report, information on companies that provide free credit scores, and rights with respect to consumer reports.

The CFPB notes that in prior years, its guide referred to consumer reporting businesses as “agencies” or “bureaus,” and that these terms can be confusing because they may imply these businesses are government entities. They are not—these companies are private-sector, for-profit entities, and in this year’s guide, the CFPB refers to them as “companies” for better clarity.

February 23rd, 2016|Educational Series|

What’s up with California’s new E-Verify law?

The new law, AB 622, which went into effect January 1, 2016, adds Labor Code section 2814 to strengthen current California prohibitions on employers’ use of E-Verify and other electronic employment eligibility verification systems.  Labor Code section 2811 (enacted in 2011) already prohibits private employers from using E-Verify or such other verification systems, unless required by federal law or as a condition of receiving federal funds.

The amended Labor Code section 2814 expands the definition of an unlawful employment practice to prohibit an employer or any other person or entity from using the E-Verify system at a time or in a manner not required by a specified federal law or not authorized by a federal agency memorandum of understanding to check the employment authorization status of an existing employee, or an applicant who has not received an offer of employment, except as required by federal law or as a condition of receiving federal funds. The new law also requires an employer that uses the E-Verify system to provide to the affected employee any notification issued by the Social Security Administration or the United States Department of Homeland Security containing information specific to his/her E-Verify case or any tentative non-confirmation notice. Employers will now face a civil penalty of $10,000 for each violation of these provisions.

  • Read the text of AB 622
  • Read guidance published by the U.S. Department of Homeland Security on conducting internal audits regarding Form I-9 compliance
February 23rd, 2016|Employment Decisions|

FTC files charges against operators of alleged high school diploma mills

The Federal Trade Commission (the “FTC”) filed complaints on February 10, 2016 against two operators of online “high schools” that claim to be legitimate but allegedly are diploma mills, charging anywhere from $135 to $349 for a worthless certificate.

Complaints in both cases filed by the FTC in the U.S. District Court for the District of Arizona charge that the operators bought several website names designed to appear like legitimate online high schools and used deceptive metatags with terms such as “GED” and “GED online” to bring the bogus sites higher in search rankings. Once consumers got to the sites, messages popped up implying that the diplomas offered were equivalent to an actual high school diploma.

According to the FTC’s documents, the “courses” amounted to four untimed and unmonitored multiple-choice tests, requiring that students answer 70% of each test correctly. For some “high schools,” when students failed to meet that standard, they were redirected to the test once more, and this time, the correct answers were highlighted so that the students could change their answers.  Other “high schools” provided students with an online “study guide” that also highlighted the correct answer for students to select when taking the test.

Upon completing the tests, the FTC’s documents charge that consumers were directed to a set of menus to evaluate their “life experiences,” where selecting that he/she knows how to “balance [a] checkbook” translates as credit for accounting coursework.  If a consumer says they “listen to music occasionally,” he/she may be given credit for a music appreciation course.

The FTC’s complaints in both cases point to numerous consumers who sought to use the diplomas to get jobs, apply for college and even join the military, only to find out that their diplomas were not recognized.

February 23rd, 2016|Fraud, Lawsuit|

Uber settles class-action for $28.5 million for misleading claims about drivers’ background checks

On February 12, 2016, Uber agreed to settle a consolidated class-action filed in the U.S. District Court for the Northern District of California (Philliben v. Uber Technologies, Inc. and Mena v. Uber Technologies, Inc.) by paying $28.5 million to approximately 25 million riders and promising to avoid using certain language in safety-related advertising, as well as the term “safe ride fee.”

In their complaint filed in 2014, the plaintiffs alleged that Uber’s claim of conducting “industry-leading background checks” for which they paid a “safe ride fee” of $1 to $2 on top of each fare, was false and misleading. According to the complaint, Uber does not and has never had an “industry-leading background check process.” To the contrary, the complaint stated that background screening by Uber does not involve fingerprint identification and, therefore, cannot ensure that the information obtained from a background check actually pertains to the driver that submitted the information. By contrast, most taxi regulators in United States require drivers to undergo criminal background screening, using fingerprint identification, and typically employing a technology called “Live Scan.”  Going forward, Uber said it will rename the “safe ride fee” as a “booking fee” which will be used to cover safety and additional future operational costs.

If the judge approves the settlement, members of the class who rode in an Uber vehicle in the United States between January 1, 2013 and January 31, 2016 will be eligible to receive a portion of the settlement.  If that pot is divided evenly among Uber’s 25 million passengers, after attorneys’ fees, each will get around $1.

Read the consolidated class-action complaint here.

February 23rd, 2016|Lawsuit|

Province of Ontario passes the Police Record Checks Reform Act

On December 1, 2015, Ontario passed the Police Record Checks Reform Act, 2015 (the “Act”) which has significant implications regarding criminal record checks. The Act establishes comprehensive standards governing the type of information that can be disclosed by police in response to record check inquiries, and is intended to remove unnecessary barriers to employment, licensing, holding office, applying to educational programs and participating in volunteer activities. Its main objective is to prevent the inappropriate disclosure of non-conviction and non-criminal records, such as information obtained from street checks or “carding,” as well as mental health information.  

Possibly the most significant requirement under the Act is that the individual must review the requested information and then consent to its disclosure. In the event that potentially inappropriate non-conviction information is included in a record, the Act provides that the individual may request a reconsideration of the disclosure. As a result, employers who conduct employment criminal record checks will now only be able to obtain the results if the applicant/employee has consented to the disclosure. 

December 22nd, 2015|Legislation|

Employers in New Jersey may face tougher restrictions for employment credit checks

Assembly Bill A2298 which prohibits employment discrimination against a current or prospective employee based on information in a credit report advanced to a second reading on December 14, 2015. The proposed legislation prohibits an employer from requiring a credit check on a current or prospective employee, unless the employer is required to do so by law, or reasonably believes that an employee has engaged in a specific activity that is financial in nature and constitutes a violation of law.  The bill does not prevent an employer from performing a credit inquiry or taking action if credit history is a bona fide occupational qualification of a particular position or certain employment classifications. An earlier version of the legislation passed the Senate in May 2012 in a 22-16 vote but was never voted on in the full Assembly.

December 22nd, 2015|Employment Decisions, Legislation|

Portland’s new ban-the-box law goes beyond Oregon’s version

Effective July 1, 2016, covered Portland businesses will be prohibited from asking job applicants about their criminal history or accessing such records until after a conditional offer has been extended. The city’s legislation goes beyond the state’s law, which beginning January 1, 2016, prohibits Oregon businesses, unless exempted, from including criminal history questions during the preliminary hiring stages, but allows the inquiries during the interview process.

Just as with Oregon’s ban-the-box law, businesses within the city of Portland are excluded from coverage when hiring for certain positions, which include law enforcement, criminal justice, and working with children, the elderly, people with disabilities, and other groups considered vulnerable.

December 22nd, 2015|Legislation|

Philadelphia expands its ban-the-box ordinance

On December 15, 2015, Philadelphia Mayor Michael Nutter signed Bill 150815 expanding the city’s ban-the-box legislation. The new ordinance, which goes into effect on or about March 14, 2016, amends Chapter 9-3500 of the Philadelphia Code entitled “Fair Criminal Records Screening Standards,” by modifying certain definitions and adding additional requirements regarding the screening of job and license applicants for criminal history. With limited exceptions, the new ordinance applies to employers having any employees within the city of Philadelphia. (The prior ordinance covered employers with 10 or more employees.)  The highlights of the law include:

  • questions about criminal records must be removed from the job application–the ordinance specifically notes that multi-state applications may not include the question with a disclaimer for Philadelphia applicants not to answer;
  • employment materials cannot contain questions or refer to  the applicant’s willingness to submit to a background check before a conditional offer has been extended;
  • criminal record inquiries must be postponed until after a conditional offer has been made;
  • notice of the background check must state that any consideration of the results will be tailored to the job;
  • employment decisions can only include a conviction that occurred less than seven years ago–employers may add to the seven year period any time of actual incarceration served because of the offense;
  • screening process must include individualized assessment for each applicant;
  • if the applicant is rejected based on a criminal conviction, he/she must be advised of the specific reason and provided with a copy of the record.
December 22nd, 2015|Educational Series, Employment Decisions|

Phony job applicants targeting employers to collect on FCRA violations

As we reported throughout the year, class-actions brought against employers under the Fair Credit Reporting Act (“FCRA”) alleging hyper-technical violations are proliferating, with several resulting in multi-million dollar settlements.

But there appears to be a new development in this area. According to a National Law Review article, phony job applicants who have no intention of being employed with the targeted companies are submitting employment applications solely to position themselves as plaintiffs in class action litigation and potentially get a windfall settlement. The National Law Review article reports that the fake applicants typically fill out an online job application (usually with companies that have nationwide operations), sign the background check authorization, and then, after receiving an offer or rejection letter send a demand letter stating that the employer’s background check disclosure form or process does not comply with the requirements imposed by the FCRA and demand huge payouts to settle their claims  and avoid the filing of a class action lawsuit.

The FCRA provides for statutory damages ranging from $100 to $1,000 per violation for non-compliance with the FCRA’s notice and disclosure requirements, even where the plaintiff has suffered no actual harm or damag

December 22nd, 2015|FCRA, Lawsuit|