CCPA Part 2 – What Does Your Business Need to Know? Consumer Requests and Notice to Consumers of Personal Information Collected

This week we continue our series of articles on the California Consumer Privacy Act of 2018 (CCPA). We’ve been discussing the broad nature of this privacy law and answering some general questions, such as what is it? Who does it apply to? What protections are included for consumers? How does it affect businesses? What rights do consumers have regarding their personal information? What happens if there is a violation? This series is a follow up to our earlier post on the CCPA.

In Part 1 of this series, we discussed the purpose of the CCPA, the types of businesses impacted, and the rights of consumers regarding their personal information. This week we’ll review consumer requests and businesses obligations regarding data collection, the categories and specific pieces of personal information the business has collected, and how the categories of personal information shall be used.

We begin with two questions regarding data collection:

  • What notice does a business need to provide to the consumer to tell a consumer what personal information it collects?
  • What is a business required to do if that consumer makes a verified request to disclose the categories and specific pieces of personal information the business has collected?

First, the CCPA requires businesses to notify a consumer, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section. Cal. Civ. Code §1798.100.

Second, under the CCPA, businesses shall, upon request of the consumer, be required to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. The CCPA states that “a business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.” Section 1798.100 (d).

Section 1798.130 (a) states that to comply with the law, a business shall, in a form that is reasonably accessible to consumers, (1) make available to consumers two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet web site, a web dite address; and (2) disclose and deliver the required information to a consumer free of charge within forty-five (45) days of receiving a verifiable request from the consumer.

Many have suggested during the rule-making process that there should be an easy to follow and standardized process for consumers to make their requests so that it’s clear for both consumers and businesses that a consumer has made the verified request. This would be welcome so that it would make this aspect of compliance simpler for the consumer as well as the business.

When businesses respond to consumers’ requests, having a clear website privacy policy that explains the types of information collected, a documented process for consumers to make a verified requests, a protocol for responding to consumer requests, audit logs of consumer requests and business responses, a dedicated website link, and clear and understandable language in  privacy notices, are all suggestions that will help businesses respond to consumers and provide documentation of the business’ response.

As we continue to explore the CCPA and its provisions, we strive to understand the law and translate the rights conferred by the law into business operations, processes and practices to ensure compliance with the law. In the coming weeks, we’ll focus on understanding more of these provisions and the challenges they present.

 

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
This post was written by Deborah A. George of Robinson & Cole LLP.

New Washington State Privacy Bill Incorporates Some GDPR Concepts

A new bill, titled the “Washington Privacy Act,” was introduced in the Washington State Senate on January 18, 2019. If enacted, Washington would follow California to become the second state to adopt a comprehensive privacy law.

Similar to the California Consumer Privacy Act (CCPA), the Washington bill applies to entities that conduct business in the state or produce products or services that are intentionally targeted to residents of Washington and includes similar, though not identical size triggers. For example, it would apply to businesses that 1) control or process data of 100,000 or more consumers; or 2) derive 50 percent or more of gross revenue from the sale of personal information, and process or control personal information of 25,000 or more consumers. The bill would not apply to certain data sets regulated by some federal laws, or employment records and would not apply to state or local governments.

The bill incorporates aspects of the EU’s General Data Protection Regulation (GDPR) and borrows the “controller”/“processor” lexicon in identifying obligations for each role from the GDPR. It defines personal data as any information relating to an identified or identifiable natural person, but does not include de-identified data. Similar to the GDPR, it treats certain types of sensitive information differently. Unlike the CCPA, the bill excludes from the definition of “consumer” employees and contractors acting in the scope of their employment. Additionally, the definition of “sale” is narrower and limited to the exchange of personal data to a third party, “for purposes of licensing or selling personal data at the third party’s discretion to additional third parties,” while excluding any exchange that is “consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller.”

Another element similar to the GDPR in the bill, requires businesses to conduct and document comprehensive risk assessments when their data processing procedures materially change and on an annual basis. In addition, it would impose notice requirements when engaging in profiling and a prohibition against decision-making solely based on profiling.

Consumer rights 

Similar to both the GDPR and the CCPA, the bill outlines specific consumer rights.  Specifically, upon request from the consumer, a controller must:

  • Confirm if a consumer’s personal data is being processed and provide access to such data.
  • Correct inaccurate consumer data.
  • Delete the consumer’s personal data if certain grounds apply, such as in cases where the data is no longer necessary for the purpose for which it was collected.
  • Restrict the processing of such information if certain grounds apply, including the right to object to the processing of personal data related to direct marketing. If the consumer objects to processing for any purpose other than direct marketing, the controller may continue processing the personal data if the controller can demonstrate a compelling legitimate ground to process such data.

If a controller sells personal data to data brokers or processes personal data for direct marketing purposes, it must disclose such processing as well as how a consumer may exercise the right to object to such processing.

The bill specifically addresses the use of facial recognition technologies. It requires controllers that use facial recognition for profiling purposes to employ meaningful human review prior to making final decisions and obtain consumer consent prior to deploying facial recognition services. State and local government agencies are prohibited from using facial recognition technology to engage in ongoing surveillance of specified individuals in public spaces, absent a court order or in the case of an emergency.

The Washington State Attorney General would enforce the act and would have the authority to obtain not more than $2,500 for each violation or $7,500 for each intentional violation. There is no private right of action.

The Washington Senate Committee on Environment, Energy & Technology held a public hearing on January 22, 2019 to solicit public opinions on this proposed legislation. At the beginning of the public hearing, the Chief Privacy Officer of Washington, Alex Alben, commented that the proposed legislation would be just in time to address a “point of crisis [when] our economy has shifted into a data-driven economy” in the absence of federal legislation regarding data security and privacy protection.

Industry reaction to the bill

Companies and industry groups with an interest in this process applauded this proposed legislation as good news for entities that have become, or are on their way, to becoming compliant with the GDPR. Many also shared suggestions or criticisms. Among others, some speakers cautioned that by setting a high standard closely resembling the GDPR, the bill might drive small- or medium-sized companies to block Washington customers, just as they have done in the past to avoid compliance with the GDPR.

Some representatives, including the Chief of the Consumer Protection Division of the Washington Attorney General’s Office, call for a private cause of action so that this law would mean more to a private citizen than simply “a click on the banner.” The retail industry, the land title association, and other small business representatives expressed their preference for legislation on a federal level and a higher threshold for applicable businesses. Specifically, Stuart Halsan from the Washington Land Title Association recommended that the Washington Senate consider this bill’s impact on industries, such as the land title insurance industry, where the number of customers is significantly lower than the amount of data it processes in their ordinary course of business.

In response to these industry concerns, the committee acknowledged that this new legislation would need to be very sensitive to apply proportionately to businesses of different sizes and technology capabilities. The committee also recognized the need to make this legislation more administratively feasible for certain industries or entities that face difficulty in compliance (such as the secondary ticketing market) or subject to complicated regulatory frameworks (such as the bank industry). The Washington Senate continues to invite individuals, companies, or industry groups to submit brief written comments here.

 

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

Impact of Government Shutdown on IRS Collections

The government shutdown has impacted many government offices, including the Internal Revenue Service. After the longest government shutdown in history, IRS employees returned to work on January 28, 2019, in most offices across the country. Unfortunately, due to extreme weather conditions in parts of the US, including Michigan, local offices were closed most days during this first week of the IRS reopening. If a taxpayer has outstanding balances with the IRS, the lingering question is what impact did the shutdown have on IRS collections.

While it will take some time for the IRS to resume normal operations, on January 29, 2019 the IRS issued a number of FAQs to assist taxpayers and tax professionals with collection issues that were affected by the shutdown.

Things to Keep in Mind

IRS revenue officers were furloughed during the shutdown. Meaning that they were put on a leave of absence that prohibited them from performing their duties. If you were working with a revenue officer to resolve your balance due account, the officer will be reviewing inventory and should be reaching out to taxpayers within the next week or so. If an appointment was missed, it should be rescheduled. If a payment or information was due during the shutdown, you should have that payment and/or information ready and available when contacted so that you can move your case toward resolution.

Government shutdown stamp over Form 1040 documentThe government shutdown did not affect federal tax law as it relates to the filing of returns and the making of payments to the IRS. Thus, penalties for failure to file, failure to pay, federal tax deposit penalties and estimated tax payment penalties may still apply. Further, since compliance is critical for all collection alternatives, including installment agreements, offers-in-compromise, and currently not collectible status, your collection alternative can be subject to default procedures.

The government shutdown did not affect statutory deadlines for filing timely appeals from enforced collection actions, including the time frame within which to request a Collection Due Process Hearing from the issuance of a Final Notice of Intent to Levy or from a Notice of Federal Tax Lien Filing. Thus, you may find yourself in jeopardy of levy action on income and financial assets.

 

© 2019 Varnum LLP
This post was written by Angelique M. Neal of Varnum LLP.
Read more news on the IRS and other Tax issues on the NLR Tax Type of Law Page.

DHS Publishes Final Rule for H-1B Lottery

On Nov. 30, 2018, the Department of Homeland Security issued the notice of proposed rulemaking to amend its H-1B cap-subject lottery process. On Jan. 31, 2019, USCIS will publish the final rule after a 30-day comment period. The final rule encompasses a pre-registration process and a modified selection process. The registration process will be suspended for FY 2020 cap season to finish testing the H-1B registration system. Below is what employers, attorneys, and employees alike need to know:

How to Register: The USCIS will house the H-1B cap registration process through ICAM, a portal that will allow accounts to submit H-1B cap registrations. A petitioner must submit a separate registration for each beneficiary, and the beneficiary must be named. A petitioner may submit one registration per beneficiary, and as with previous years, if multiple requests for the same beneficiary and same petitioner are found, the registration for that beneficiary will be considered invalid.

Timing: The registration period will last at least 14 calendar days, and will start at least 14 calendar days before the earliest date the H-1B petition can be filed. USCIS will announce the start of the registration period at least 30 days before the first date of open registration. As with previous filings, the start date on the petition may only begin on the first day of the fiscal year, Oct. 1. If for any reason the registration period is open longer than anticipated by USCIS, then the start date may begin later.

Selection Process: USCIS will conduct a random lottery of the registrations it receives. If the cap has not been reached at the end of the period, USCIS will notify all those that are selected and keep the registration period open until the slots have been filled, which will determine the “final registration date.” If the cap is reached at the end of the registration period, USCIS will notify the public of the “final registration period” and will then randomly select via computer the registrations that will move on to the next stage.

Most notably, the order of selection will change for the petitions filed for FY 2020, though the registration process will take effect FY 2021 due to testing of the proposed system. Instead of the U.S. Master’s degree registrations being selected first for the 20,000 spots, the general pool will go first, where 65,000 regular cap registrations are selected. This means there will be more U.S. Master’s degree registrations mixed within the regular pool. USCIS will announce the “final registration date” after all U.S. Master’s degree registrations have been selected.

USCIS will maintain a reserve pool of registrations in case it needs to increase the number of registrations to meet the H-1B cap (both regular and advanced degree exemption).

Notification: Petitioners will receive an electronic notification that their registration has been selected, and can therefore move forward with filing the H-1B petition, only for the beneficiary named on the registration notice. The H-1B petition must be filed within the filing period indicated on the notice, which will be at least 90 days. If this window is missed, USCIS will deny or reject the H-1B petition.

Fine Text: USCIS makes it very clear that even if the registration process is suspended, the order and manner in which the cap subject petitions are selected will remain in effect.

Implications: The registration process will not go into effect this coming H-1B cap season, but the system will be tested throughout the year for implementation next year. The manner of selecting cap cases will change, with the regular cap going first, then the U.S. Master’s cap. As such, there will be a greater chance for those with U.S. Master’s degrees to be selected in the process.

 

©2019 Greenberg Traurig, LLP. All rights reserved.
This post was written by Kristen W. Ng of Greenberg Traurig, LLP.

Supreme Court Update: SCOTUS Grants CERT on Issue of Punitive Damages for Unseaworthiness and Denies CERT on Maritime Contract Test

Last month, the US Supreme Court decided to take up whether punitive damages are recoverable in general maritime law claims for unseaworthiness when it granted certiorari in Batterton v. Dutra Group, 880 F.3d 1089 (9th Cir. 2018), writ granted Docket No. 18-266 (Dec. 7, 2018). As we reported in June 2018, Batterton brings the issue into focus for the high court because it is directly at odds with a 2014 US Fifth Circuit decision that held that punitive damages are nonpecuniary and therefore not recoverable in unseaworthiness actions. McBride v. Estis Wells Serv., 768 F.3d 382 (5th Cir. 2014).

The US Ninth Circuit in Batterton relied on a prior decision from that circuit, Evich v. Morris, 819 F.2d 256 (9th Cir. 1987), which held that punitive damages are available for general maritime law claims of unseaworthiness if certain conditions are present (i.e., when the conduct constitutes reckless or callous disregard for the rights of others, gross negligence, actual malice, or criminal indifference). The Ninth Circuit also relied on the broad principle announced in Atlantic Sounding v. Townsend, 557 US 404 (2009), that punitive damages have been available under the general maritime law and should, therefore, be available in unseaworthiness actions even though that case concerned the refusal of an employer to pay maintenance and cure benefits to a seaman.

The Fifth Circuit in McBride, however, relied on an earlier Supreme Court decision in answering the same question. In Miles v. Apex Marine Corp., 498 US 119 (1990), the Supreme Court held that a seaman’s damages are limited to pecuniary loss. The Fifth Circuit determined that punitive damages are nonpecuniary, and therefore are not recoverable for an unseaworthiness claim.

The Supreme Court will take up the question in due course, and we will continue to provide updates on this case, as punitive damages can impact the value of a case and present insurance coverage issues.

Separately, the Supreme Court denied cert in December 2018 from In re Crescent Energy Servs., L.L.C., 896 F.3d 350 (5th Cir. 2018), writ denied Docket No. 18-436 (Dec. 10, 2018), the first Fifth Circuit case that applied the new test for determining whether a contract in the oil and gas context is maritime since the en banc court changed the test in In re Larry Doiron Inc., 879 F.3d 568 (5th Cir. 2018). We summarized that line of cases in our August 2018 newsletter. The test under Doiron is two-pronged:

  1. Is the contract to provide services to facilitate the drilling or production of oil and gas on navigable waters?
  2. If the answer to the above question is “yes,” does the contract provide for, or do the parties expect, a vessel to play a substantial role in the completion of the contract? If so, then the contract is maritime in nature.

In In re Crescent Energy Servs., L.L.C., the issue presented on appeal was whether a contract to provide services to oil wells located on fixed platforms in navigable waters within a state is a “maritime” contract when a vessel plays a substantial role in the performance of the contract. The Fifth Circuit applied the Doiron test and answered in the affirmative, finding that the contract was indeed maritime. The Supreme Court denied cert, and the new test for a maritime contract in the oil and gas context adopted by Doiron continues to apply. Whether a contract is maritime in nature plays a role in the enforceability of indemnity obligations among the parties because indemnity provisions are generally enforceable under maritime law, but are often prohibited under oilfield anti-indemnity acts in Texas and Louisiana. If a contract is nonmaritime, then state law applies, which can bar enforcement of the indemnity provisions in the contract.

 

© 2019 Jones Walker LLP
This post was written by Jeanne Amy of Jones Walker LLP.
Read more litigation news on the National Law Review’s Litigation Page.

Sex Education for Minors?

As we previously reported, this past fall, Governor Jerry Brown signed into law AB 2338, which includes a provision requiring minors 14-17 years of age and their parents/guardians to receive sexual harassment prevention training prior to the issuance of an entertainment work permit by the California Labor Commissioner.  Earlier this week, the Department of Labor Standards Enforcement (“DLSE”) published its guidance regarding AB 2338 on its website.  The DLSE’s very brief guidance does answer some questions regarding the new law, yet leaves some unanswered.

First, the DLSE’s guidance notes that applicants for 10-day temporary entertainment work permits are exempt from the training requirement.

Second, it provides two options for 13-year-old minors who will reach their 14th birthday during the period of a six-month entertainment work permit: (1) apply for a permit which will expire on the minor’s 14th birthday; or (2) the Labor Commissioner will issue permits to minors at least 13 years and six months of age, who provide satisfactory proof of sexual harassment prevention training as an age-eligible minor.

Third, the DLSE’s guidance specifies that the sexual harassment prevention training must at a minimum include the components specified in the Department of Fair Employment and Housing’s form, DFEH Form 185.  This form includes general information regarding sexual harassment as well as employers’ responsibilities related to sexual harassment. The training must be administered by a third-party vendor and may be provided electronically or on site, in a language the participants understand.

Although AB 2338 went into effect on January 1, 2019, the DLSE has stated that, due to the “unavailability of third-party vendors and applicable materials at this time,” the Labor Commissioner will not enforce the new law until June 30, 2019.  Even following the DLSE’s guidance, questions remain regarding the new law, such as the required length of the trainings and which vendors will be deemed acceptable.  MSK will continue to monitor this area and will provide an update via its blog upon any further developments.

 

© 2019 Mitchell Silberberg & Knupp LLP.

Six Flags Raises Red Flags: Illinois Supreme Court Weighs In On BIPA

On January 25, the Illinois Supreme Court held that a person can seek liquidated damages based on a technical violation of the Illinois Biometric Information Privacy Act (BIPA), even if that person has suffered no actual injury as a result of the violation. Rosenbach v. Six Flags Entertainment Corp. No. 123186 (Ill. Jan. 25, 2019) presents operational and legal issues for companies that collect fingerprints, facial scans, or other images that may be considered biometric information.

As we have previously addressed, BIPA requires Illinois businesses that collect biometric information from employees and consumers to, among other things, adopt written policies, notify individuals, and obtain written releases. A handful of other states impose similar requirements, but the Illinois BIPA is unique because it provides individuals whose data has been collected with a private right of action for violations of the statute.

Now, the Illinois Supreme Court has held that even technical violations may be actionable.  BIPA requires that businesses use a “reasonable standard of care” when storing, transmitting, or protecting biometric data, so as to protect the privacy of the person who provides the data. The rules are detailed. Among other things, BIPA requires businesses collecting or storing biometric data to do the following:

  • establish a written policy with a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;
  • notify individuals in writing that the information is being collected or stored and the purpose and length of time for which the biometric identifier will be collected, stored, and used;
  • obtain a written release from the individual; and
  • not disclose biometric information to a third party without the individual’s consent.

The Illinois Supreme Court has now held that a plaintiff may be entitled to up to $5,000 in liquidated damages if a company violates any of these requirements, even without proof of actual damages.

In Rosenbach, the plaintiff’s son’s fingerprint was scanned so that he could use his fingerprint to enter the Six Flags theme park under his season pass. Neither the plaintiff nor her son signed a written release or were given written notice as required by BIPA. The plaintiff did not allege that she or her son suffered a specific injury but claimed that if she had known that Six Flags collected biometric data, she would not have purchased a pass for her son. The plaintiff brought a class action on behalf of all similarly situated theme park customers and sued for maximum damages ($5,000 per violation) under BIPA. The Illinois appellate court held that plaintiff could not maintain a BIPA action because technical violations did not render a party “aggrieved,” a key element of a BIPA claim.

In a unanimous decision, the Illinois Supreme Court disagreed. The court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” Even more pointedly, the court held that when a private entity fails to comply with BIPA’s requirements regarding the collection, retention, disclosure, and destruction of a person’s biometric identifiers or biometric information, that violation alone – in the absence of any actual pecuniary or other injury—constitutes an invasion, impairment, or denial of the person’s statutory rights.

This decision – along with the 200 class actions already filed – shows how important it is for vendors and companies using fingerprint timeclocks or other technologies that may collect biometric information to be aware of BIPA’s requirements.

 

© 2019 Schiff Hardin LLP

PFAS — What’s all the Fuss?

Recently, per- and polyfluoroalkyl substances (PFAS) have been the subject of much publicity, major ongoing litigation over alleged personal injury and property damage, and statutory and regulatory action. In Massachusetts and New Hampshire, contamination incidents, lawsuits, and concerns over drinking water impacts have led to proposals for adoption of extremely low (parts per trillion) drinking water guidelines or enforceable standards. Nationally, although there are drinking water “advisories,” the U.S. Environmental Protection Agency (EPA) is considering whether to start rulemaking to identify PFAS as “hazardous substances” under the federal Superfund law, and whether to adopt enforceable maximum contaminant levels as national drinking water standards.

What’s all the fuss? Although manufacturers stopped making two of the most well-known PFAS (PFOA and PFOS) over a decade ago, PFAS are a category of substances that includes hundreds of compounds, and a number of them appear to have toxic effects. PFAS had – and continue to have – a variety of uses in a multitude of products, and therefore have been manufactured or used (and sometimes released) at a large number of facilities. Commercial products have included, among others, cookware, food packaging, personal care products, and stain resistant chemicals for apparel and carpets. Industrial and commercial uses included photo imaging, metal plating, semiconductor coatings, firefighting aqueous film-forming foam, car wash solutions, and rubber and plastics. As a result, PFAS are present in the environment, and have been detected in certain drinking water systems. Further, PFAS are still being manufactured and used, but discharge of PFAS in air and water typically have not been regulated. PFAS also are highly mobile and highly persistent in the environment, and, therefore, will be present for scores of years.

Although the toxicological risks for many PFAS have not yet been determined with confidence, PFOA and PFOS have been tested fairly extensively. Manufacturers point out that not all PFAS have the same chemical structures and toxicity. Nevertheless, the Conservation Law Foundation and other environmental advocates are petitioning for regulation of the entire class.

Because PFAS haven’t yet fallen under most federal regulatory schemes, many states have been “filling the gap” with guidance and regulatory action. In Maine, PFAS are already the subject of guidance and regulations by the Maine Department of Environmental Protection (DEP). The most recent DEP Remedial Action Guidelines (RAGs, 2018) for PFOA, PFOS, and PFBS issued by Maine include:

  • Soil RAGs as low as 0.0095 ppm
  • Groundwater residential use RAG as low as 0.40 ppb
  • Fish tissue guidelines for recreational anglers as low as 0.052 ppm

And under DEP Chapter 418, Screening Levels for Beneficial Use have been set for certain PFAS as low as 0.0025 ppm.

It is clear there will be more regulation and legislation at federal and state levels. Further, litigation has commenced in a number of states (including Maine) for perceived or real damages from PFAS contamination under negligence and other tort theories.

What to do? Depending on where you sit, here are a few actions to consider.

  • If you are unsure whether you use PFAS, a limited review of safety data sheets may identify PFAS chemicals.
  • Determine if you stored, used, or currently use PFAS, and consider the potential toxicity of the specific compounds and potential impact of potential regulations.
  • If you stored or used PFAS in the past, consider whether there were potential releases or residuals that could pose health risks or liability risks.
  • If you are considering purchasing a business or real property, consider whether PFAS may have been used or released on site, and the potential risk and liability issues. Note that because PFAS are not federal “hazardous substances” they are not within the scope of the standard Phase I Environmental Site Assessment.
  • If you generate or ship wastes that may contain PFAS, consider voluntary testing and the possibility that testing may soon be requested or required.
  • If you use groundwater as drinking water or for production use, consider whether PFAS may be present from historic or recent uses.
  • Keep posted on national and state regulatory and legislative developments.
©2019 Pierce Atwood LLP. All rights reserved.
This post was written by Kenneth F. Gray and Thomas R. Doyle of Pierce Atwood LLP.

A Momentary Victory for the ACA: Federal Judge Issues a Nationwide Injunction against Trump Administration’s Contraceptive Coverage Carve Outs

On January 14, 2019, US District Judge Wendy Beetlestone in the US District Court for the Eastern District of Pennsylvania issued a nationwide preliminary injunction blocking the Trump administration’s carveouts to the Affordable Care Act’s (ACA) contraceptive coverage mandate. One day prior, US District Judge Haywood Gilliam in the US District Court for the Northern District of California issued a more limited injunction blocking the same carve outs from taking effect in 13 states plus the District of Columbia.

On October 6, 2017, the Trump administration issued rules that are the subject of these two decisions. The rules would have allowed employers to raise religious and moral objections to avoid the ACA’s requirement that contraceptive coverage be provided without cost sharing under their group health plans. Under the ACA, certain contraceptive products and services are included in the list of preventive services that must be covered by most group health plans without cost sharing. The available exemptions to this rule were limited.

Judge Beetlestone reasoned that the loss of contraceptive coverage would have resulted in “significant” and “proprietary harm” to the states by causing increased use of state-funded contraceptive services, along with increased costs associated with unintended pregnancies. Without the preliminary injunction, the Trump administration’s rules would have gone into effect on January 14, 2019. The preliminary injunction does not permanently block the rules, but rather it stops the rules from going into effect while legal challenges are being pursued. Judge Beetlestone indicated that she is likely to invalidate the rules, stating that the US Departments of Health and Human Services, Labor and Treasury exceeded the scope of their authority under the ACA by issuing the carve outs.

Charnae Supplee, a law clerk in the Firm’s Washington, DC office, also contributed to this post. 

 

© 2019 McDermott Will & Emery
This post was written by Jacob Mattinson Judith Wethall and Charnae Supplee of McDermott Will & Emery.

Emerging Technologies Update

Our present era is one characterized by rapid technological change, marked by an influx of advancements aimed at enhancing productivity, reducing labor costs, and providing companies with previously unforeseen efficiencies and insights. These emerging technologies—a broad collection of hardware and software that includes artificial intelligence (AI), autonomous vehicles (AVs), biotechnology, robotics, and unmanned aerial systems (drones)—are being incorporated into everyday operations by seemingly every industry and sector.

A number of emerging technologies are finding particular value in the energy, natural resources, and transportation spaces.  A brief survey of these sectors reveals that companies are incorporating emerging technologies in a number of novel ways, including:

  • Use of drones to detect leaks along pipelines and to survey the structural integrity of offshore rigs;
  • Integration of machine learning-empowered connected devices by electric, gas, and water utilities to better serve communities by identifying ways to be more efficient with respect to how resources are managed;
  • Application of predictive analytics for refinery/gas plant optimization to mitigate un-programmed plant shutdowns, improve yields, and enhance safety awareness;
  • Incorporation of machine learning and computer vision into AV systems which have the capability to significantly improve road safety, reduce traffic fatalities, and improve vehicle efficiency;
  • Adoption of machine learning and data analytics by oil and gas companies into planning processes for drilling by hydraulic fracturing; and
  • Utilization of autonomous delivery systems—including aerial and sidewalk drones—in an effort to significantly reduce the cost of deliveries and environmental impacts over the “last mile.”

While these and other technologies show great promise, they also create a host of new challenges for governments, companies, and individuals.  In particular, emerging technologies could usher in an era of massive disruption that dramatically alters and upsets traditional notions of consumer safety and privacy, national security, job security, and environmental quality.  Federal and state regulators and legislators are already starting to tackle the challenges arising from emerging technologies—with mixed results. These actions risk generating unintended consequences that could stifle innovation and/or forestall the incorporation of emerging technologies into various industry operations.

This inaugural VNF Emerging Technology Update is intended to identify recent executive and legislative branch developments in the emerging technology space that may impact the deployment of these technologies, which in turn could impact client operations. If you have a question about these or any other developments in the emerging technology space, please contact the authors of this alert.

Recent Emerging Tech Developments

DOT Announces New Measures to Facilitate Drone Deployment

On January 14, 2019, Secretary of Transportation, Elaine Chao, announced several significant regulatory developments that should—in time—provide drone companies and operators with more operational flexibility.

First, Secretary Chao announced that the Federal Aviation Administration (FAA) had unveiled a proposed rule entitled, “Operation of Small Unmanned Aircraft Systems over People.” Among other things, the proposed rule would allow a small drone to “pass[] over any part of any person who is not directly participating in the operation and who is not located under a covered structure or inside a stationary vehicle”—provided that the drone meets certain operational constraints related to drone weight, design, and risk of injury to people.  The proposed rule would also permit drones to operate at night provided that (i) the drone is equipped with an anti-collision light that is visible for at least three statute miles, and (ii) the operator has completed relevant knowledge training and testing.

While the proposed rule is a good first step in facilitating further innovation in small drone use cases, it is unlikely that the rule would have any immediate impact because it is contingent on the FAA implementing remote identification and tracking regulations, which the FAA is expected to promulgate in proposed form later this year.  Moreover, remote ID and tracking rules are necessary to stymie nefarious and nuisance operations that could target critical systems and infrastructure, including events similar to those that occurred at London’s Gatwick and Heathrow airports late in 2018 and early in 2019, and at Newark International Airport on January 22, 2019. Thus, while the proposed rule is a welcome step toward facilitating drone innovation, regulators still have a lot of work to do before companies (and consumers) realize the potential benefits of commercial drones.

In addition to the proposed rule, the FAA also announced an advanced notice of proposed rulemaking (ANPR) seeking comments on the “Safe and Secure Operations of Small Unmanned Aircraft Systems.” The ANPR recognizes the potential national security threat that drones pose to critical infrastructure, acknowledging that it is continually assessing the ability of the Part 107 regulations to address these concerns.  In addition, the ANPR notes that the FAA is working to develop a process to allow certain fixed-site facility owners to petition the agency to prohibit or restrict drone operations in close proximity to, e.g., critical infrastructure sites. The ANPR further recognizes public safety and national security concerns arising from loss of control of a drone. The agency seeks comment on the need to promulgate regulations establishing design requirements (such as redundancy) for systems critical to flight safety.

It is important to note that the current government shutdown has impacted the publication of these regulatory actions in the Federal Register. Therefore, the FAA is not yet accepting public comment on these actions. The FAA has not indicated when it will publish these actions in the Federal Register, but simply says both will be published “at a later date.”

FCC Proposed Rule on Unlicensed Use of 6 GHz Band

On December 17, 2018, the Federal Communications Commission (FCC) published a proposed rule to expand unlicensed use of the 5.925-7.125 GHz band (6 GHz band). Specifically, the FCC would allow unlicensed access points to operate on the 5.925-6.425 GHz and 6.525-6.875 GHz sub-bands only on frequencies determined by an automated frequency control (AFC) system. For the 6.425-6.525 GHz and 6.875-7.125 GHz sub-bands, the FCC would not mandate an AFC system and would permit unlicensed access points to operate at lower transmitted power.

The FCC’s press release on the proposed rule notes that “[u]nlicensed devices that employ Wi-Fi and other unlicensed standards have become indispensable for providing low-cost wireless connectivity in countless products used by American consumers.” The proposed rule represents one element of the FCC’s broader objective to facilitate and ensure that adequate spectrum exists to accommodate the proliferation of connected devices in the internet of things (IoT).

While the FCC asserted its commitment to “protecting the incumbent licensed services that operate in this spectrum,” the FCC’s proposed action does raise the possibility of conflict with electric, gas, and water utilities and other critical infrastructure systems, which have long relied on the 6 GHz band for their communications networks. Some worry that the FCC’s action could unleash a flood of new unlicensed users on the spectrum, which could create radio frequency interference that compromises both reliability and emergency response capabilities.

Comments on the proposed rule are due by February 15, 2019.

BIS Contemplating Export Controls for Certain Emerging Technologies

On November 19, 2018, the Bureau of Industry and Security (BIS)—an agency within the Department of Commerce—published an ANPR seeking public comment on criteria for identifying emerging technologies that are essential to U.S. national security. The BIS ANPR comes at a time of heightened scrutiny over global technology transfers. The past year alone has been dominated by headlines of (i) potential national security concerns related to the import of Chinese telecommunications technologies; (ii) potential supply chain attacks on U.S. technology manufacturers; and (iii) escalating trade tensions between the United States and China precipitated at least in part by U.S. objections over Chinese theft of intellectual property.

It is this third risk that BIS’s ANPR is attempting to redress. With the help of public comments received over the course their comment period (which closed on January 10, 2019) BIS will evaluate potential national security risks that may arise from the export of emerging technologies.  The agency has indicated that it will likely promulgate a proposed rule to amend the Commerce Control List (CCL) to include new Export Control Classification Numbers (ECCNs) for certain emerging technologies.

While there is certainly a need to address the economic, national security, and political implications of technology transfers—and the deleterious impacts of industrial espionage—some of the most prominent technology companies and technology industry advocacy groups argue that BIS’s action will do little to mitigate potential national security risks and may actually do more to harm U.S. emerging technology companies, because any prohibition on technology exports will apply to companies operating within the United States. Consequently, sophisticated external actors will still be able to engage in industrial espionage, thereby extracting potentially sensitive technologies outside of officially-sanctioned processes, allowing certain emerging technologies to end up in jurisdictions outside of the United States or its allies without U.S. companies being able to control the dissemination of those technologies.

Given the potential negative impacts of BIS’s contemplated regulatory action—as well as the fact that BIS issued the ANPR immediately before the year-end holiday season—many companies petitioned the agency for an extension of the original 30-day comment period. While BIS did extend the comment period an additional three weeks, the compressed comment period undoubtedly prevented some companies and individuals from offering more detailed insights.  Given the potential economic and security impacts of the ANPR, companies may wish to engage with the Office of Information and Regulatory Affairs (OIRA) within the Office of Management and Budget (OMB) as an alternative or parallel strategy to ensure that the Administration is aware and understands the potential implications on U.S. companies.

Senators Warner and Rubio Introduce Bill to Establish the Office of Critical Technologies and Security

On January 4, 2019, Senators Mark Warner (D-VA) and Marco Rubio (R-FL) introduced S.29, which would establish an “Office of Critical Technologies and Security” within the White House. Recognizing threat of industrial espionage, forced technology transfers, and supply chain vulnerabilities, the bipartisan bill is intended to ensure that technology transfer decisions occur within a broader policy context—a “whole of government technology strategy”—that weighs relevant economic, geopolitical and national security concerns in a way different from the existing BIS regulatory process.

As of January 22, the Senate has taken no further action on the bill.

 

© 2019 Van Ness Feldman LLP
This post was written by R. Scott Nuzum and Eric C. Wagner of Van Ness Feldman LLP.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by