Tag: privacy

Legal Implications of Facebook Hearing for Whistleblowers & Employers – Privacy Issues on Many Levels

On Sunday, October 3rd, Facebook whistleblower Frances Haugen publicly revealed her identity on the CBS television show 60 Minutes. Formerly a member of Facebook’s civic misinformation team, she previously reported them to the Securities and Exchange Commission (SEC) for a variety of concerning business practices, including lying to investors and amplifying the January 6th Capitol Hill attack via Facebook’s platform.

Like all instances of whistleblowing, Ms. Haugen’s actions have a considerable array of legal implications — not only for Facebook, but for the technology sectors and for labor practices in general. Especially notable is the fact that Ms. Haugen reportedly signed a confidentiality agreement or sometimes call a non-disclosure agreement (NDA) with Facebook, which may complicate the legal process.

What are the Legal Implications of Breaking a Non-Disclosure Agreement?

After secretly copying thousands of internal documents and memos detailing these practices, Ms. Haugen left Facebook in May, and testified before a Senate subcommittee on October 5th.  By revealing information from the documents she took, Facebook could take legal action against Ms. Haugen if they accuse her of stealing confidential information from them. Ms. Haugen’s actions raise questions of the enforceability of non-disclosure and confidentiality agreements when it comes to filing whistleblower complaints.

“Paradoxically, Big Tech’s attack on whistleblower-insiders is often aimed at the whistleblower’s disclosure of so-called confidential inside information of the company.  Yet, the very concerns expressed by the Facebook whistleblower and others inside Big Tech go to the heart of these same allegations—violations of privacy of the consuming public whose own personal data has been used in a way that puts a target on their backs,” said Renée Brooker, a partner with Tycko & Zavareei LLP, a law firm specializing in representing whistleblowers.

Since Ms. Haugen came forward, Facebook stated they will not be retaliating against her for filing a whistleblower complaint. It is unclear whether protections from legal action extend to other former employees, as is the case with Ms. Haugen.

Other employees like Frances Haugen with information about corporate or governmental misconduct should know that they do not have to quit their jobs to be protected. There are over 100 federal laws that protect whistleblowers – each with its own focus on a particular industry, or a particular whistleblower issue,” said Richard R. Renner of Kalijarvi, Chuzi, Newman & Fitch, PC, a long-time employment lawyer.

According to the Wall Street Journal, Ms. Haugen’s confidentiality agreement permits her to disclose information to regulators, but not to share proprietary information. A tricky balancing act to navigate.

“Big Tech’s attempt to silence whistleblowers are antithetical to the principles that underlie federal laws and federal whistleblower programs that seek to ferret out illegal activity,” Ms. Brooker said. “Those reporting laws include federal and state False Claims Acts, and the SEC Whistleblower Program, which typically feature whistleblower rewards and anti-retaliation provisions.”

Legal Implications for Facebook & Whistleblowers

Large tech organizations like Facebook have an overarching influence on digital information and how it is shared with the public. Whistleblowers like Ms. Haugen expose potential information about how companies accused of harmful practices act against their own consumers, but also risk disclosing proprietary business information which may or may not be harmful to consumers.

Some of the most significant concerns Haugen expressed to Congress were the tip of the iceberg according to those familiar with whistleblowing reports on Big Tech. Aside from the burden of proof required for such releases to Congress, the threats of employer retaliation and legal repercussions may prevent internal concerns from coming to light.

“Facebook should not be singled out as a lone actor. Big Tech needs to be held accountable and insiders can and should be encouraged to come forward and be prepared to back up their allegations with hard evidence sufficient to allow governments to conduct appropriate investigations,’ Ms. Brooker said.

As the concern for cybersecurity and data protection continues to hold public interest, more whistleblower disclosures against Big Tech and other companies could hold them accountable are coming to light.

During Haugen’s testimony during  the October 5, 2021 Congressional hearing revealed a possible expanding definition of media regulation versus consumer censorship. Although these allegations were the latest against a large company such as Facebook, more whistleblowers may continue to come forward with similar accusations, bringing additional implications for privacy, employment law and whistleblower protections.

“The Facebook whistleblower’s revelations have opened the door just a crack on how Big Tech is exploiting American consumers,” Ms. Brooker said.

This article was written by Rachel Popa, Chandler Ford and Jessica Scheck of the National Law Review. To read more articles about privacy, please visit our cybersecurity section.

Mama Always Said, ‘Tell the Truth,’ Especially When It Comes to COVID-19

Since the outbreak of the COVID-19 pandemic earlier this year, employers have been placed in the position of having to deal with numerous conflicting legal and moral obligations.  Prior to the pandemic, by virtue of the Americans with Disabilities Act and similar state and local laws, employers were greatly limited in the questions they could ask perspective and current employees about their individual health conditions.  Similarly, unless they were seeking a workplace accommodation, employees did not have to disclose their personal health conditions to their employer.

In the battle to quell the pandemic, the rules have changed significantly.  Employers have greater leeway to ask questions related to the pandemic and employees who may have medical conditions previously unknown to the employer are disclosing them because of their concerns about increased susceptibility to becoming infected by the virus.  At the same time, getting quick and reliable information about an employee’s COVID-19 status may be difficult.  Frequently, an employee will only receive an initial verbal confirmation of a positive test and have to wait days for the written report.  Complicating matters are reports in the media of employees who have falsely told their employer they tested positive.  In some of the reported cases, upon hearing of a positive test, the employer shut down its entire operation for a deep cleaning only to later have the employee retract their statement they were positive.  In some of these falsification incidents, employees are now facing criminal prosecution.  What is an employer to do?

Trust but Verify

The vast majority of employees are honest and deeply concerned about their employer’s response to COVID-19. Therefore, if an employee reports they have tested positive, the employer should not wait for written verification and immediately begin to follow the Centers for Disease Control or local health authority protocols.  At the same time, employers should take all possible steps to verify the accuracy of what the employee is reporting.

In cases of suspected fraud, here are some steps an employer can and should take:

  1. Require the employee to provide written confirmation.  As noted above, employers should understand that a written confirmation of a positive COVID-19 test may not be immediately available to the employee.  Many test sites provide only a verbal response with the written verification following days later.  Employers should still require written confirmation of the verbal positive result.
  2. While waiting for written confirmation of test results, ask the employee specifically where and when they went for testing and verify the accuracy of that information.  In one case reported in the media, a suspicious HR manager determined that the hospital where the employee claimed to have been tested was not even performing COVID-19 tests.
  3. Carefully examine any written documentation provided by the employee.  Doctor’s notes and other non-detailed information can be verified by a Google search to determine that the practitioner is real.  A phone call to that practitioner should be able to easily confirm the truth of the matter on the documentation.
  4. Communicate to employees in advance that falsification of employee records and information, especially something as critical as a positive COVID-19 test, can be grounds for discipline, including termination of employment.

© 2020 Foley & Lardner LLP

For more on employer’ COVID-19 considerations, see the National Law Review Coronavirus News section.

Temperature Checks: Three Things to Know Before Screening Employees and Customers

As businesses begin the calculated process of re-opening their doors to employees and customers, many are considering implementing temperature checks to monitor for at least one known COVID-19 symptom – the fever.

Beyond nailing down the logistics of temperature checks (e.g., who will perform them, has that person been trained, do employees need to be paid while waiting in line, how will social distancing be maintained, etc.) there are several significant legal considerations that should be evaluated before implementation.

The Illinois Biometric Privacy Act

Some temperature screening devices utilize facial-recognition technology to quickly identify those with fever so that they can be promptly tracked down and removed from the facility. While these systems provide logistical advantages, especially to large employers and retailers, they likely implicate provisions of the Illinois Biometric Privacy Act (BIPA) which can lead to costly litigation and result in stiff penalties for anyone who violates the statute, even unwittingly.

According to BIPA, businesses utilizing this type of facial-recognition technology must obtain advance, written consent from the individuals to be scanned, and must also maintain a publicly available policy that specifies information regarding the collection, use, storage, and destruction of individuals’ biometric information. And, again, these policies and consents must be executed and implemented before temperature screenings begin. It is, therefore, critical to determine whether your temperature screening devices perform facial recognition scans or capture other biometric information.

Confidentiality of Employee Information

Employers screening employee temperatures must also remember they are conducting a “medical examination,” as defined by the Equal Employment Opportunity Commission (EEOC) and would be wise to adhere to the EEOC’s guidance on the issue. This means information collected about employees’ temperature, such as the temperature readings themselves, or the fact that an employee had or has a fever, must be treated as confidential medication information and maintained in a confidential file separate from an employee’s personnel file. Employers should also take care to not divulge the identity of any employee sent home with fever, absent consent from the employee to share that information with other personnel, or a strict need-to-know among involved supervisor(s) or members of human resources.

The California Consumer Privacy Act

California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), contains broad protection of consumers’ “personal information,” and requires businesses subject to the statute to, among other things, notify consumers when their personal information is being collected. Though body temperature is not explicitly mentioned in the statute, the definition of “personal information” is broad, and includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer …” It includes biometric information. Whether an individual’s temperature constitutes personal information is up for some debate, but debates often lead to costly litigation, and it is easy enough to amend CCPA notices to include temperature until that debate is resolved in an effort to avoid litigation altogether.

So, if a business is subject to the CCPA and intends to collect employee or customer temperatures (whether or not with the use of biometric technology), it should consider updating its CCPA notices to include “temperature” (and, if applicable, scans of face geometry) to the list of personal information collected.

© 2020 Much Shelist, P.C.

For more employer COVID-19 guidance, see the National Law Review Coronavirus News section.

Good News for Companies: Seventh Circuit Holds Removal of Plaintiffs’ Biometrics Privacy Claims to Federal Court OK

In a widely watched case, the Seventh Circuit decided last week that companies that collect individuals’ biometric data may be able to defend their cases in federal court when plaintiffs allege a procedural violation of Illinois’ Biometric Information Privacy Act (BIPA).

In Bryant v. Compass Group USA, Inc., the Seventh Circuit held that certain procedural violations of Illinois’ BIPA constituted actual injuries and therefore satisfied the requirements for federal court standing. Relying on Spokeo, the seminal U.S. Supreme Court case addressing what constitutes an actual injury for standing purposes, the court held that the plaintiff’s allegations, if proven, would demonstrate that she suffered an actual injury based on the fact that Compass did not obtain her consent before obtaining her private information. Therefore, the case could remain in federal court.

The decision now gives defendants that want to defend BIPA claims in federal court a roadmap for their arguments, including access to a larger jury pool, the Federal Rules of Procedure, and other federal court-related advantages. It is also notable because BIPA defendants have attempted to remove BIPA cases to federal court and then file motions to dismiss them for lack of standing. However, the federal courts have typically remanded these cases, forcing defendants back into state court and sometimes even requiring them to pay just costs and any actual expenses, including attorney fees, incurred as a result of the removal.[1]

What Happened in Bryant v. Compass Group USA

In Compass Group USA, a customer sued a vending machine manufacturer after she scanned her fingerprint into a vending machine to set up an account during her employer’s orientation. She then used her fingerprint to buy items from the vending machine.

The plaintiff filed a putative class action lawsuit on behalf of herself and all other persons similarly situated in state court alleging that Compass violated her statutory rights under BIPA by 1) obtaining her fingerprint without her written consent and 2) not establishing a publicly available data retention schedule or destruction guidelines for possession of biometric data as required by the statute.

Shortly after the plaintiff filed suit in Cook County Circuit Court, Compass filed a notice to remove the case to the Northern District of Illinois. Opposing the motion, the plaintiff argued that she did not have federal standing for her BIPA claims because she had not alleged an injury-in-fact as required by Article III.

Compass argued that the plaintiff had alleged an injury-in-fact under Article III, pointing to the recent Illinois Supreme Court case, Rosenbach v. Six Flags Ent. Corp., which held that plaintiffs can bring BIPA claims based on procedural violations, even if they have suffered no actual injury. Rosenbach held that, if a company, for example, fails to comply with BIPA’s requirement of establishing destruction guidelines for possession of biometric data, that violation alone – without any actual pecuniary or other injury – creates an actual injury.

The district court sided with the plaintiff and concluded that Rosenbach merely established “the policy of the Illinois courts” to allow plaintiffs to bring BIPA claims without alleging an actual injury. Rosenbach did not interpret procedural BIPA violations to be actual injuries.

Because the plaintiff’s claims did not establish Article III standing, the district court granted the plaintiff’s motion to remand the case back to state court.

The Seventh Circuit reversed, relying on Spokeo. It interpreted Spokeo as holding that injuries may still be particularized and concrete – i.e., actual – even if they are intangible or hard to prove. The court also cited Justice Thomas’ concurrence in Spokeo that distinguished between private rights (which courts have historically presumed to cause actual injuries) and public rights (which require a further showing of injury).

The court held that the plaintiff had alleged that she suffered an actual injury when Compass collected her biometric data without obtaining her informed consent because this was a private right. The court also relied on Fed. Election Comm’n v. Atkins, 525 U.S. 11 (1998).  In Atkins, the Supreme Court held that nondisclosure can be an actual injury if plaintiffs can show an impairment of their ability to use information in a way intended by the statute. The court in Compass similarly held that the defendant had denied the plaintiff the opportunity — and statutory right — to consider whether the terms of the defendant’s data collection and usage were acceptable. As a result, the court held that the plaintiff alleged an actual injury.

By contrast, the court determined that the plaintiff’s other claim – that the defendant violated BIPA by failing to make publicly available a data retention schedule and destruction guidelines for possession of biometric data – implicated a public right and did not cause the plaintiff an actual injury.

[1] See, e.g. Mocek v. Allsaints USA Ltd., 220 F. Supp. 3d 910, 914 (N.D. Ill. 2016) (“Defendant’s professed strategy of removing the case on the basis of federal jurisdiction, only to turn around and seek dismissal with prejudice—a remedy not supported by any of defendant’s cases—on the ground that federal jurisdiction was lacking, unnecessarily prolonged the proceedings. . . . For the foregoing reasons, I grant plaintiff’s motion for remand and attorneys’ fees and deny as moot defendant’s motion to dismiss. Because defendant has not objected to the specific fee amount plaintiff claims, which she supports with evidence in the form of affidavits and billing records, I find that plaintiff is entitled to payment in the amount of $58,112.50 pursuant to § 1447(c).”)

© 2020 Schiff Hardin LLP
For more on BIPA, see the National Law Review Communications, Internet, and Media Law section.

The Ever Thinning Right of Privacy at the Border—A Warning for Attorney Travelers

Immigration Commentary

It was March 2, 2020, at around five in the afternoon, right before the COVID-19 pandemic went out of control, and cities and states started to issue stay-at-home orders.

I had just gotten married to my wife on February 28 in Mexico. On our flight back we traveled with our family, around ten people in total. As we went through the automated customs system, my wife got an X in the receipt that the customs’ machine sometimes gives you. Mine did not have an X but, since hers did, I accompanied her to the agent’s kiosk that reviews receipts marked with Xs. When we got there, the agent reviewed her passport quickly, and told her that she would have to go through a secondary screening in what they call the “little room” or “el cuartico” in Spanish. As her husband, they let me go in with her.

We were in the “little room” for a few minutes, not too long. They reviewed her passport and then we were told to go to another place, following a long pathway full of orange plastic cones that took us to another agent, in a zone where there were scanning machines. The agent opened both of our bags, looked at them carefully, item by item, and then told us to sit and wait.

As we sat and waited for around twenty minutes, two agents came in and introduced themselves as being from the Investigative Unit at the Department of Justice. They showed us their badges. Without giving any details, they told us that they had orders from the agent-supervisor in charge to take our phones and laptops. My wife and I are both lawyers and, as such, reacted quite surprised, and quickly asked why. Both agents–one very polite, the other, not so much–told us that they could not tell us why they needed our phones and laptops, or what the whole thing was about. A back and forth, at times intense, ensued.

Our immediate reaction as lawyers was to say: “You don’t have a right to do that. Please show us a warrant to search our phones or laptops.” We additionally disclosed to them at that point that we were attorneys, and that our phones and laptops contained attorney-client sensitive information, and that such information does not belong to us but to the client. The polite officer did not say much. The not-so-polite officer said, essentially: “I don’t care” and that “at the point of entry we have a right to inspect these things.”

At the time, I did not know the law on this topic. As an immigration lawyer, I knew that non-citizens seeking admissibility do not have a constitutional right to privacy. I thought that a different standard applied to U.S. citizens—which we both are. The agent seemed to disagree. I did not have time to research the law on my phone. The agents made us place our phones on the table, so we could not use them. The back and forth with the not-so-polite agent turned more intense. We managed to persuade him to let us use our phones to call our lawyers.

We called three lawyers. First, a good friend, Juan Carlos Gomez, an immigration law professor. He was of the view that if they were going to search our phones and laptops, they needed a magistrate’s order or a warrant. I then called two good friends and excellent criminal attorneys. Both of them said something similar: “If they want to take it, they are going to take it, and there’s not much you can do about it. You just need to make sure you are making it clear that you don’t consent, and thus, anything inside cannot be used against you.” All three attorneys told us that we did not have to provide the passwords of our phones and laptops; we just had to turn them in physically.

My wife and I were both unconcerned about ourselves. We really had nothing to hide but felt (1) that our right of privacy was being violated, and (2) that our clients’ information was vulnerable. We both run small practices and take our phones and computers everywhere, as most lawyers do.

After some 60 minutes arguing with the agents, we agreed that we were going to wait for their supervisor to come see us before they took any of our laptops or phones. According to the not-so-polite agent, their boss had just been in a car accident and was going to take an additional hour. We said we would wait.

After around three hours since landing, tired, and with our family waiting outside, we said: “Let’s just give it to them, let’s not wait anymore.” As we were about to turn in our phones, the agent-supervisor appeared. He was a nice man. We explained to him the situation, that we were attorneys, that our devices contained confidential attorney-client information, and that if he could give us any details about the topic of their investigation, we could cooperate and provide them with any necessary information. The agent-supervisor was polite, understood our position, and said not to worry about it, that he was going to let us go with our devices. We grabbed them and left.

To this day, we are not sure whether the agent-supervisor let us go because of the hassle of having to deal with two lawyers to obtain information that may not be all that valuable anyway, or if he let us go due to the attorney-client privilege concerns we shared with him.

Can U.S. border agents take an attorney’s device which contains attorney-client privileged information?

The short answer seems to be yes.

The longer answer is laid out in the 2018 U.S Customs and Border Protection Directive No. 3340-049A (the “Directive”).[i] Specifically, section 5.2 of the Directive, titled “Review and Handling of Privileged or Other Sensitive Material,” addresses this issue head-on.

First, the information has to be “identified” or “asserted to be” protected by the attorney-client privilege. This burden is on the attorney. In other words, if you have attorney-client privileged information, it is your duty as a lawyer to make the claim.

Second, after there is a claim of attorney-client privileged information, the “Officer shall seek clarification, if practicable in writing, from the individual asserting [the] privilege as to specific files, folders, categories of files, attorney or client names, email addresses, phone numbers, or other particulars that may assist CBP in identifying privileged information.”

Third, before any search may occur, where there is a claim of privilege, “the Officer will contact the CBP Associate/Assistant Chief Counsel (ACC) office.” Then, in coordination with the ACC, the Officer “will ensure segregation of any privileged material from other information examined during a border search to ensure that any privileged material is handled appropriately.”

Finally, at the completion of segregation and review, “unless any materials are identified that indicate threat to homeland security, copies of materials maintained by CBP and determined to be privileged will be destroyed, except for any copy maintained . . . for purposes of . . . a litigation hold.”

In short, CBP officers may search a lawyer’s phone, but they have to “segregate” the privileged information. How confident can you feel about border agents “segregating” and not looking at privileged material in searches they do out of your sight? I think we don’t need to answer that question.

Can U.S. border agents access information remotely stored in “the cloud”?

The next question is how far they can search. We have not defined what a “device” is. Today, almost all smartphones are connected to “the cloud,” which allows you to access vast amounts of information beyond what is stored in the actual physical device.

The Directive also addresses this. It specifically states that “[t]he border search will include an examination of only the information that is resident upon the device and accessible through the device’s operating system or through other software, tools, or applications.” In fact, “Officers may not intentionally use the device to access information that is solely stored remotely.” The Directive goes on to recommend that “Officers request that the traveler disable connectivity to any network . . . or where warranted . . . Officers will themselves disable network connectivity.”

In other words, Officers can search your phone, but they cannot go into your Dropbox, iCloud, Google Drive or any other information that is stored in “the cloud” and that is accessed through internet connectivity. The question again becomes, how confident can you feel about border agents not accessing readily available information in Gmail, iCloud, Dropbox, and other cloud-based services? You really have no assurances that officers will not look at things you keep in “the cloud” that are so readily accessible. This underscores the importance of always having such applications logged out in your devices, but especially when you travel internationally.

Do you have to give U.S. border agents your password?

The Directive states that “[t]travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents.” “Passcodes or other means of access may be requested and retained as needed to facilitate the examination of an electronic device.”

Thus, the Directive clearly says that you have to provide your password. However, it is unclear what remedy border agents have if U.S. citizens refuse to do so. In the case of non-U.S. citizens, it is clear that they could be denied admission into the country. It is highly unlikely, however, that a U.S. citizen attorney, making a claim of privilege, has to voluntarily disclose the password of the device that contains the privileged information. What happens if the attorney refuses to give his password? Will he be arrested? What if he is arrested and still refuses to give his password? Will he be physically forced? It seems to be one of those situations where it will be difficult for U.S. agents to enforce. Of course, U.S. Customs is not completely without remedy, as the refusal to turn in the password will result in the impounding of the device and its opening using other electronic means.

What to do?

We will never know why they wanted our devices. Likely, it was something related to one of the hundreds of clients we have represented. But we do not know exactly which client or what the investigation was about.

What we do know now and learned from this experience is that we live in a world with increasingly fading privacy rights, and that we have to learn, as lawyers, to take necessary precautions to protect our clients’ information. These precautions include traveling with devices that do not have access to cloud-stored information, such as Dropbox, Google Drive, Gmail, iCloud, or some legal software that relies on cloud computing. It is also important to travel with computers or phones that do not have anything in it that can be privileged. As seen above, even if the Directive says that the Officer has to “segregate” and not look at attorney-client privileged material, these searches happen out of your sight, and you have no control whatsoever over what the Officers look at. Until the Directive is challenged in court, Attorneys have to be extremely careful when they travel internationally.

[i] The legal authority or weight that the Directive carries is not the subject of this article; this article merely describes the current policy used by CBP in doing searches of attorneys’ devices.

© 2020 Eduardo Ayala Maura
For more on attorney-client privilege matters, see the National Law Review Law Office Management section.

The Return of Balance and Proportionality

Oscar Wilde was known for saying “Everything in moderation, including moderation.” For a period of time, we were only confronted with the scary aspects of “Big Data.” Think The Great Hack and the testy congressional hearings that we watched.

But the viral pandemic has thrown privacy absolutism into deeper question, as we are suddenly faced with a problem that in order to be solved must involve finding and tracking people for extended periods of time. We need to decide how to balance the societal need for virus control with the societal good of personal privacy.

Contact tracing is often used as an epidemic control measure. Lawmakers have discussed using the tool in the U.S. as Apple and Google work together to develop an effective contract tracing system. It has been deployed against illnesses such as measles, SARs, typhoid, meningococcal disease, and Ebola. It is currently being implemented in South Korea and China to combat COVID-19.

The Israeli government approved tracking cell phone data of people suspected of having coronavirus, to make sure they self-isolated. This emergency power lasted for 30 days. Israel’s Supreme Court, concerned with the privacy implications of using a military technology to track its own citizens’ daily movements, decided that the government would be required to halt this surveillance technology until or unless the government can pass an extension of that use. Then an oversight group in Israel’s parliament blocked an attempt to extend the emergency measures beyond this week, also due to privacy concerns. A committee member said the harm done to privacy outweighed the benefits.

As I recently wrote, this crisis may be testing sensibilities about privacy. Perhaps I was wrong. Sentiments do not seem to be moving aggressively towards greater data collection, or a sacrifice of consumer rights. Instead there appears to be a return towards measuring the weight of data against the potential for abuse, or grand commodification of personal information. In Israel more than 200 people, some identified through phone location information, had been arrested for violating quarantine. Thirty days of these extreme measures were tolerable. Then the Israelis had second thoughts.

Ulrich Kelber, Germany’s federal data protection commissioner, who recently claimed that the lack of GDPR enforcement was a result of enforcement agencies not receiving enough resources, backed a plan for Germany’s disease prevention agency to use Deutsche Telekom metadata. Considering just a week earlier he deemed tracking individual smartphones to monitor quarantine “totally inappropriate and encroaching measure,” it is apparent that Germany is balancing the harsh reality of the crisis and the immediate need for certain information with this encroachment.

Canada’s Privacy Commissioner released a “Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19.” The Commissioner’s Office acknowledged that COVID-19 raised “exceptionally difficult challenges to both privacy and public health.” However, the framework reiterated that “the principles of necessity and proportionality, whether in applying existing measures or in deciding on new actions to address the current crisis,” will govern. Canada too is weighing the need of the information collected against the nature and sensitivity of the information collected.

The European Data Protection Board (EDPB) provided multiple guidance documents regarding COVID-19. Much like its Canadian counterpart, guidance provides that the “general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.” These guidelines clarify the conditions and principles for the proportionate use of location data and contact tracing tools. But the EDPB also stressed that the “data protection legal framework was designed to be flexible and as such, is able to achieve both an efficient response in limiting the pandemic and protecting fundamental human rights and freedoms.”

Here in the United States, all eyes have been on the California Attorney General regarding enforcement of the California Consumer Privacy Act, which is set to begin on July 1, 2020. Unlike our neighbors to the North and Europe, there is no significant sentiment of the need for balance or proportionality. Just a reminder that as “the health emergency leads more people to look online to work, shop, connect with family and friends, and be entertained, it is more important than ever for consumers to know their rights under the California Consumer Privacy Act.”

For many sovereigns, this crisis has led enforcement agencies and legislatures to return to the roots of data privacy, which is balance and proportionality. Many privacy laws require a balancing test for entities collecting data. COVID-19 has made these principles re-emerge into the limelight.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

CARES Act Brings Changes to Federal Substance Use Disorder Privacy Law

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act), enacted March 27, 2020, rewrote significant portions of 42 U.S.C. § 290dd-2, the federal statute governing the confidentiality of substance use disorder (SUD) records that is more commonly known by its implementing regulations at 42 C.F.R. Part 2 (Part 2). Among other changes, the CARES Act revises the permissible uses and disclosures of SUD records to more closely align with the HIPAA Privacy Rule, 45 C.F.R. § 164.500, et seq., when a Part 2 program obtains the patient’s prior written consent.

Historically, Part 2 programs have been restricted in their ability to share SUD records by the Part 2 regulations, which require written patient consent for each disclosure of SUD records and prohibit re-disclosure of such SUD records except in limited circumstances. The CARES Act directs the Secretary of the U.S. Department of Health and Human Services (HHS), in consultation with appropriate federal agencies (which may include the Substance Abuse and Mental Health Services Administration (SAMHSA)) to revise the Part 2 regulations as necessary to implement and enforce the statutory revisions contained in the CARES Act effective March 27, 2021. The forthcoming revisions to the Part 2 regulations may be substantial given these CARES Act changes to the federal statute.

Another significant change to the federal SUD confidentiality statute addresses the ability of health care providers to use SUD records for treatment, payment, and health care operations purposes (except for certain provider fundraising activities) in a manner more consistent with the allowances provided for protected health information under HIPAA. Specifically, the CARES Act authorizes a Covered Entity or Business Associate (as those terms are defined in the HIPAA Privacy Rule) or Part 2 Program (as defined by the Part 2 regulations) to use, disclose, or re-disclose SUD records with the patient’s written consent for treatment, payment, and health care operations as permitted by the HIPAA regulations, 45 C.F.R. Parts 160, 162, and 164, and Sections 13405(a) and (c) of the Health Information Technology and Clinical Health Act (42 U.S.C. § 17935(c)) (HITECH Act). Under the revised statute, a patient can provide written consent once that will then authorize all such future uses or disclosures for purposes of treatment, payment, and health care operations until such time as the patient revokes such consent in writing.

Additionally, the CARES Act incorporates the following privacy protections for SUD records:

  • Except as otherwise authorized by court order or by written patient consent, SUD records or testimony relaying information from the SUD records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority.
  • Penalties applicable to HIPAA violations (42 U.S.C. §§ 1320d-5 and 6) shall apply to a violation of 42 U.S.C. § 290dd-2.
  • The breach notification provisions of Section 13402 of the HITECH Act shall apply to SUD records.
  • By March 27, 2021, HHS will update the HIPAA Privacy Rule to require that Part 2 programs provide notice of privacy practices, written in plain language, describing the patient’s rights with respect to the Part 2 records and how the patient may exercise those rights, and describing each purpose for which the Part 2 program is permitted or required to use or disclose the SUD records without the patient’s written authorization.
  • Part 2 providers can disclose information, regardless of whether the patient gives written consent, to a public health authority (as defined by HIPAA), if the content is de-identified in accordance with the HIPAA de-identification standards set forth at 45 C.F.R. § 164.514(b).
  • Patients shall have the right to request a restriction on the use or disclosure of SUD records for treatment, payment, or health care operations.
  • Patients shall have the right to request an accounting of disclosures of SUD records consistent with the HITECH Act and HIPAA.
  • Entities shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records in: (a) admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment, or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to federal, state, or local courts; or (e) access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local governments.
  • Recipients of federal funds shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records, when offering access to services provided with such funds.

The CARES Act provides that the above-summarized amendments to the federal SUD statute will apply to uses and disclosures of information on or after March 27, 2021. While these changes implement long-awaited alignment efforts to enable data sharing across providers in a manner consistent with the allowances permitted under HIPAA, the real impact of these changes will come from the forthcoming implementing agency regulations from, which are also due to be issued by March 27, 2021.

©2020 Greenberg Traurig, LLP. All rights reserved.

EEOC Issues ADA and Title VII Guidance for Employers on COVID-19

The Equal Employment Opportunity Commission (EEOC) recently hosted a webinar in which the agency answered questions about the applicability of the Americans with Disabilities Act (ADA) and Title VII to COVID-19-related employment actions.  This Q&A supplemented earlier guidance posted by the EEOC.

This post summarizes the guidance and takeaways from the EEOC webinar.

  • The EEOC updated its previously published guidance entitled “Pandemic Preparedness in the Workplace and the Americans With Disabilities Act” to provide information and examples regarding COVID-19. This new guidance confirms that COVID-19 constitutes a “direct threat” and a significant risk of substantial harm would be posed by having someone with COVID-19, or symptoms of it, present in the workplace.
  • Employers should follow the EEOC guidance in conjunction with the guidelines and suggestions made by the CDC and state/local health authorities.
  • The guidance also answers common employer questions about the COVID-19 pandemic, such as:

Q:     How much information may an employer request from an employee who calls in sick in order to protect the rest of its workforce during the COVID-19 pandemic?

A:    ADA-covered employers may ask such employees if they are experiencing symptoms of the pandemic virus such as fever, chills, cough, shortness of breath, or sore throat. Employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA. Employers generally may not ask these questions of employees who are teleworking since they are not entering the workplace and do not pose a threat to others.

We note, however, that if an employee recently started teleworking, employers may want to ask the employee if they exhibited symptoms of COVID-19 before starting telework, so the employer can inform those with whom the employee had been in close contact about the potential exposure.

Q:     What if an employee refuses to answer COVID-19 related questions by the employer?

A:    The ADA allows employers to bar an employee’s physical presence in the workplace if he or she poses a threat to others. Employers should ask for the reason behind the employee’s refusal and reassure the employee if the employee is hesitant to provide this information.

Q:    When may an employer take an employee’s temperature during the COVID-19 pandemic?

A:    Generally, taking an employee’s temperature is a medical examination under the ADA. Because the CDC and state/local health authorities have acknowledged community spread of COVID-19, employers may take employees’ temperature. However, employers should be aware that some people with COVID-19 do not have a fever, while some people with a fever do not have COVID-19.

Employers, however, are well-advised to first consult with counsel to ensure the administration of these tests stays within the guidance and does not otherwise violate applicable law.

Q:    Can an employer ask COVID-19 related questions about an employee’s family members? 

A:    This unnecessarily limits the inquiry. A better question is whether the employee has had contact with anyone diagnosed with COVID-19 or who was showing symptoms of COVID. A general question like this is more sound. The Genetic Information Nondiscrimination Act (GINA) prohibits employers from asking employees medical questions about an employee’s family members.

Q:    How are employers supposed to keep medical information of employees confidential while teleworking?

A:     The ADA requires that medical information be stored separately away from other personnel files and employee information. A supervisor who receives this information while teleworking should follow normal company procedures to store this information. If they cannot follow the procedures for whatever reason, they should make every effort to safeguard the information from disclosure (for example, do not leave a laptop open or accessible to others; do not leave notepads with information around the home, etc.).

Q:    What are an employer’s ADA obligations when an employee says he has a disability that puts him at a greater risk of severe illness if he contracts COVID and therefore asks for a reasonable accommodation?

A:    The CDC has identified certain conditions (for example, lung disease) that put certain people at a higher risk for severe illness if COVID-19 is contracted. Thus, this is clearly a request for a reasonable accommodation and a request for a change in the workplace. Because employers cannot grant employees reasonable accommodations for disabilities that they do not have, employers may verify that the employee has a disability, what the disability is, and that the reasonable accommodation is necessary because the disability may potentially put the individual at a higher risk for severe illness due to COVID-19.

There may also be a situation in which the employee’s disability is exacerbated by the current situation. The employer may verify this as well. Aside from requesting a doctor’s note, other options to verify an employee’s disability may be to request insurance documents or their prescription. An employer may want to provide a temporary reasonable accommodation pending receipt of the documentation.

Q:    If an employer grants telework to employees with the purpose of slowing down/stopping COVID-19 – after the public health measures are no longer necessary, does the employer automatically have to grant telework as a reasonable accommodation to every employee with a disability who wishes to continue this arrangement?

A:    No. Anytime an employee requests a reasonable accommodation, the employer has the right to understand and evaluate the disability related limitation and make a determination on the request. After the pandemic, a request to telework does not have to be granted if working at the worksite is an essential function of the job in normal circumstances (i.e. not during a pandemic). The ADA never requires an employer to limit the essential functions of a position, and just because an employer did this during the pandemic does not mean an employer has to permanently change the essential functions of a position, and is not an admission that telework is a feasible accommodation or that telework does not place an undue hardship on the employer.

The guidance further addresses common questions related to discrimination and harassment under Title VII, such as:

Q:     May an employer decide to layoff or furlough a pregnant employee who does not have COVID-19 or symptoms solely based on the CDC guidance that pregnant women are more likely to experience severe symptoms and should be monitored?

A:     No, because pregnant employees are protected under the Pregnancy Discrimination Act of Title VII.

Q:    May an employer exclude from the workplace an employee who is 65 or older and who does not have COVID, solely because he or she is in an age group that is at higher risk for severe illness as a result of COVID?

A:    No, age based actions are not permitted. The Age Discrimination in Employment Act prohibits discrimination against those who are 40 or older.

Q:    May an employer single out employees based on national origin and exclude them from the workplace due to concerns about possible COVID-19 transmission? May employers tolerate a hostile work environment based on an employee’s national origin or religion because others link it to the transmission of COVID-19?

A:    No, because Title VII prohibits national origin discrimination. It does not matter that it is linked to COVID-19. Employers should remind employees of anti-discrimination and anti-harassment policies and also should ensure that they are not taking employment actions based on an employee’s protected class(es).

  • An employer may make inquiries that are non-disability related to identify potential non-medical reasons for an employee’s absence or future absence. For example, an employer may ask a “yes” or “no” question that asks if the employee or someone in his or her household falls within the categories identified by the CDC for being at higher risk for severe illness if COVID-19 is contracted (such as pregnancy or being over the age of 65).
  • An employer may also screen job applicants for symptoms of COVID-19 after making a conditional job offer, as long as it does so for all entering employees in the same type of job.
  • While employers may require doctors’ notes certifying their fitness for duty before returning to work, as a practical matter, doctors and other health care professionals may be too busy during the pandemic outbreak to provide fitness-for-duty documentation. Therefore, new approaches, such as requesting an employee’s prescription, may be necessary.

This is a challenging time and events are changing rapidly. EEOC guidance and interpretation of what is permissible under the ADA and Title VII is evolving and may change as circumstances develop.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

For more employer guidance from Gov’t Agencies amid the COVID-19 pandemic, see the National Law Review dedicated Coronavirus News section.

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.

The OCR guidance focused on sharing patient information in several areas, including: treatment, public health activities, disclosures to family, friends, and others involved in an individual’s care, and disclosures to prevent a serious and imminent threat.

The HIPAA Privacy Rule allows a covered entity to disclose PHI to the Center for Disease Control (CDC) or to state or local health departments that are authorized to collect or receive such information, for the purpose of preventing disease and protecting public health.  This would include disclosure to the CDC, and/or state or local health departments, of PHI as needed to report prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus.

The OCR message in the guidance document is clear and it emphasized the balance between protecting the privacy of patient PHI and the appropriate uses and disclosures of such information to protect the public health. For more information and resources, see the HHS interactive decision tool which provides assistance to covered entities to determine how the Privacy Rule applies to disclosures of PHI in emergency situations.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on HIPAA regulation, see the National Law Review Health Law & Managed Care section.

6 Months Until Brazil’s LGPD Takes Effect – Are You Ready?

In August 2018, Brazil took a significant step by passing comprehensive data protection legislation: the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – Law No. 13,709/2018, as amended) (LGPD). The substantive part of the legislation takes effect August 16, 2020, leaving fewer than six short months for companies to prepare.

While the LGPD is similar to the EU’s General Data Protection Regulation (GDPR) in many respects, there are key differences that companies must consider when building their compliance program, to be in line with the LGPD.

Application

The LGPD takes a broad, multi-sectoral approach, applying to both public and private organizations and businesses operating online and offline. The LGPD applies to any legal entity, regardless of their location in the world, that:

  • processes personal data in Brazil;
  • processes personal data that was collected in Brazil; or
  • processes personal data to offer or provide goods or services in Brazil.

Thus, like the GDPR, the LGPD has an extraterritorial impact. A business collecting or processing personal data need not be headquartered, or even have a physical presence, in Brazil for the LGPD to apply.

Enforcement and Penalties

After many debates and delays, the Brazilian Congress approved the creation of the National Data Protection Authority (ANPD), an entity linked to the executive branch of the Brazilian government, which will be tasked with LGPD enforcement and issuing guidance.

Violations of the LGPD may result in fines and other sanctions; however, the fine structure is more lenient than the GDPR’s. Under the LGPD, fines may be levied up to 2% of the Brazil-sourced income of the organization (which is considered any legal entity, its group or conglomerate), net of taxes, for the preceding fiscal year, limited to R$ 50,000,000.00 (app. $11 million), per infraction. There is also the possibility of a daily fine to compel the entity to cease violations. The LGPD assigns to ANPD the authority to apply sanctions and determine how the fines shall be calculated.

Legal Basis for Processing

Similar to the GDPR, an organization must have a valid basis for processing personal data. Personal data can only be processed if it meets one of the 10 requirements below:

  • with an individual’s consent;
  • when necessary to fulfill the legitimate interests of the organization or a third party, except when the individual’s fundamental rights and liberties outweigh the organization’s interest;
  • based on a contract with the individual;
  • to comply with a legal or regulatory obligation;
  • public administration and for judicial purposes;
  • for studies by research entities;
  • for the protection of life or physical safety of the individual or a third party;
  • by health professionals or by health entities for health care purposes; or
  • to protect an individual’s credit.

Sensitive personal information (race, ethnicity, health data, etc.) and children’s information may only be processed with the individual or a parent or legal guardian’s consent, as applicable, or as required by law or public administration.

Individual Rights

Brazilian residents have a number of rights over their personal data. Many of these rights are similar to those found in the GDPR, but the LGPD also introduces additional rights not included in the GDPR.

Established privacy rights, materially included in the GDPR

  • access to personal data
  • deletion of personal data processed with the consent of the individual
  • correction of incomplete, inaccurate, or out-of-date personal data
  • anonymization, blocking, or deletion of unnecessary or excessive data or personal data not processed in compliance with the LGPD
  • portability of personal data to another service or product provider
  • information about the possibility of denying consent and revoking consent

Additional rights provided by the LGPD

  • access to information about entities with whom the organization has shared the individual’s personal data
  • access to information on whether or not the organization holds particular data

Transferring Data Out of Brazil

Organizations may transfer personal data to other countries that provide an adequate level of data protection, although Brazil has not yet identified which countries it considers as providing an adequate level of protection. For all other transfers, organizations may not transfer personal data collected in Brazil out of the country unless the organization has a valid legal method for such transfers. There are two main ways organizations can transfer data internationally:

  • with the specific and express consent of the individual, which must be prior and separated from the other purposes and requisitions of consent;
  • through contractual instruments such as binding corporate rules and standard clauses, committing the organization to comply with the LGPD principles, individual rights, and the Brazilian data protection regime.

Governance & Oversight

In addition to the requirements above, under the LGPD, organizations must, in most circumstances:

  • Appoint an officer to “be in charge of the processing of data,” who, together with the organization, shall be jointly liable for remedying any damage, whether individually or collectively, in violation of the personal data protection legislation, caused by them (there is little specificity around the role or responsibility of the data processing officer; however, it is not mandatory for the officer to be located in Brazil);
  • Maintain a record of their processing activities;
  • Perform data protection impact assessments;
  • Design their products and services with privacy as a default;
  • Adopt security, technical, and administrative measures able to protect personal data from unauthorized access, as well as accidental or unlawful destruction, loss, alteration, communication (likely similar standards to those established under the Brazilian Internet Act); and
  • Notify government authorities and individuals in the case of a data breach.

Meeting these requirements will likely be a significant administrative burden for organizations, especially as they work to meet varying documentation and governance requirements between the GDPR, CCPA, and LGPD. This effort is made more complicated by the lack of clarity in some of the LGPD administrative requirements. For example, while the LGPD requires a record of processing, it does not delineate what should be included in the document, and while it establishes that privacy impact assessments should be carried out, it does not indicate when such assessments are required.

Final Thoughts

Given August 2020 is right around the corner, global organizations processing personal data from or in Brazil should consider immediately moving forward with a review of their current data protection program to identify and address any LPGD compliance gaps that exist. As privacy law changes and global compliance requirements are top of mind for many clients operating global operations, we will be sure to provide timely informational updates on the LGPD, and any ANPD guidance issued.

Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

©2020 Greenberg Traurig, LLP. All rights reserved.

For more privacy laws around the globe, see the National Law Review Communications, Media & Internet law section.