As technology and business rapidly evolve, state and federal government agencies are continually introducing new data privacy regulations that businesses need to be aware of. To address this ever-changing landscape, we are pleased to introduce our new blog—Online & On Point—to provide commentary, updates, and insight on the developments that could have an impact on businesses as they seek to remain in compliance with privacy laws, serve their customers, and to mitigate risk. Our goal is to make Online & On Point a valuable resource for our clients and businesses affected by data privacy regulations across industries.

Bradley’s Cybersecurity and Privacy team includes 40+ cross-disciplinary attorneys with deep experience in the fields of cybersecurity, data security, privacy, and emerging technologies. Our team will analyze important cases, regulations and developments, will assess their importance, and will work to provide information relevant to you. You can expect to hear from us at least twice a month on topics such as:

  • The California Consumer Privacy Act (CCPA), the California Privacy Rights and Enforcement Act (CPRA), and other states’ efforts to enact similar regulations
  • Federal privacy regulations
  • International privacy laws including General Data Protection Regulation (GDPR)
  • ADA website compliance
  • Privacy due diligence in M&A and vendor onboarding
  • Educational privacy obligations and best practices
  • Children’s privacy
  • Health technology and privacy
  • Data breach and incident response
  • Privacy litigation

You are invited to review Online & On Point to read about significant regulatory developments and other topics related to cybersecurity and data protection. To make sure you don’t miss updates, subscribe to receive our posts via email.

If you have any questions or suggestions for Online & On Point, please contact us.

Sincerely,

Elizabeth Boone, Daniel Paulson, Erin Illman and Amy Leopard, Editors

Impacts of the European Union invalidation of the EU-U.S. Privacy Shield

Initial Guidance for the Transfer of Personal Data between the European Union and the United States

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a very lengthy and detailed opinion invalidating the EU-US Privacy Shield (Decision 2016/1250), thereby requiring an immediate re-assessment of transfers of Personal Data between the European Union (EU) and the United States.

History of EU – U.S. Personal Data and Privacy Protection

The General Data Protection Regulation (GDPR) was approved by the EU in 2016 and replaced the 1995 EU Data Protection Directive 95/46/EC. GDPR expanded privacy protections and provided for the imposition of heavy fines for violations of such – which have since been levied on several notable U.S. technology companies. GDPR was intended to update and harmonize EU data privacy laws with regard to the protection of Personal Data enumerated in GDPR. Personal Data has since been construed to mean any information relating to an identified or identifiable natural person, referred to as a Data Subject. Critical GDPR protections include:

  • Requiring that consents be provided in clear plain language – think U.S. liability disclaimers.
  • The right to obtain details regarding the use and processing of Personal Data.
  • The right of “data portability” – to receive a copy in a “commonly used and machine readable format,” or to have such transmitted to another party.
  • The “the right to be forgotten” – the erasure, or termination of dissemination or links.
  • Notification of a breach within 72 hours.

Significantly, Article 44 of GDPR only permits transfers of the Personal Data of EU citizens outside the EU if the level of data protection in the country in which the data will be transferred is comparable to that of the EU. Historically, businesses could transfer EU Personal Data into the U.S. under an agreed upon data protection regime called the EU-U.S. Safe Harbor.

Legal Challenges to U.S. Data Protections

The U.S. Safe Harbor protections were challenged and invalidated by the CJEU in a case brought by Max Schrems, an Austrian lawyer and data protection activist against Facebook, which is commonly referred to as “Schrems I.” In response to the invalidation of the EU-U.S. Safe Harbor, and to facilitate the continued transfer of Personal Data to the U.S., the EU and U.S. established additional privacy protections under a regime call the EU-U.S. Privacy Shield.

Schrems brought a second action challenging the suitability of the protections under the EU-U.S. Privacy Shield, which is the basis for the CJEU’s July 16 opinion invalidating the EU-U.S. Privacy Shield – already being dubbed “Schrems II.”

While the Schrems II decision clearly follows on Schrems I, it acknowledges a more fundamental basis for the privacy rights of EU citizens – tantamount to a personal liberty protected by the U.S. Bill of Rights. It is this aspect of the Schrems II decision that may have broader implications beyond the EU-U.S. Privacy Shield and how businesses will need to protect Personal Data of EU Data Subjects going forward. The significance of this issue to data driven business cannot be understated.

As an acknowledgement of the commercial significance of data transfers, the U.S. Secretary of Commerce issued an announcement on the invalidation of the EU-U.S. Privacy Shield. The U.S. Secretary of Commerce announcement and other similar announcements have tried to calm commercial concerns by focusing on the invalidation of the EU-U.S. Privacy Shield – and implying that contractual privacy protection clauses can still be used to continue the transfer of Personal Data between the EU and the U.S. While such is true in the short term, the broader EU privacy rights issue raised in Schrems II necessarily requires a more detailed assessment of suitable U.S. protections going forward.

Standard (Privacy) Contractual Clauses at Risk

As background, most businesses have utilized contractual privacy protection clauses, referred to as Standard Contractual Clauses for the transfer of covered Personal Data. Standard Contractual Clauses were promulgated and generally sanctioned by EU Data Protection offices for use with data processors located in non-EU countries.

While the CJEU Schrems II opinion did not expressly invalidate the use of Standard Contractual Clauses, it did establish that EU supervisory authorities are obliged to assess the compliance of such clauses in non-EU countries – such as the U.S. The Data Protection Commission in Ireland and Federal Commissioner for Data Protection in Germany have already issued announcements specifically questioning the adequacy of Standard Contractual Clauses for proposed transfers of Personal Data of EU Data Subjects into the U.S. Other EU Data Protection offices will likely follow suit. We will continue to monitor for such announcements and provide updates accordingly.

Immediate Effects

  • Covered Personal Data transfers from the EU to the U.S. based solely on the EU-U.S. Privacy Shield must be suspended – or subject the responsible parties to GDPR enforcement and fines.
  • Covered Personal Data transfers and related operations involving the U.S. should be evaluated for possible interim use and coverage under Standard Contractual Clauses.

Additional guidance is likely to follow from the EU and EU member state Data Protection offices on the suitability or requirements for the use of Standard Contractual Clauses. There will also likely be a renewed effort for a U.S. federal regulatory solution – with a possible federal preemption – to address the requirements of GDPR as established in Schrems II.

Continue to look for further updates and alerts from Bradley on practices needed to remain compliant with the collection, use, storage and transfer of Personal Data in the US and abroad.

A New Privacy Headache: Virginia’s COVID-19 Workplace Safety Rule is Poised to Impact PrivacyOn July 15, 2020, the state of Virginia adopted the first of its kind COVID-19 workplace safety mandate. Propelled by months of inaction from a federal agency tasked with nationwide enforcement of workplace safety relating to COVID-19, Virginia’s Safety and Health Codes Board adopted an emergency regulation designed to establish requirements for employers to control, prevent and mitigate the spread of the virus. The new regulation applies to every employer, employee, and place of employment in the Commonwealth of Virginia within the jurisdiction of the Virginia Occupational Safety and Health program.

All employers are now required to:

  • Assess their workplace for hazards and job tasks that can potentially expose employees to COVID-19;
  • Classify employees according to the hazards they are potentially exposed to and the job tasks they undertake and ensure compliance with the “very high,” “high,” “medium,” or “lower” risk levels of exposure as designated in the regulation;
  • Inform employees of the methods of and encourage employees to self-monitor for signs and symptoms of COVID-19 if they suspect possible exposure or are experiencing signs of an oncoming illness;
  • Develop and implement policies and procedures to address a situation where the employer is notified that an employee has tested positive for COVID-19 antibodies or live virus;
  • Develop and implement policies and procedures for employees to report when they are experiencing symptoms consistent with COVID-19;
  • Prohibit known COVID-19 or suspected COVID-19 employees or other persons from reporting to work or allowing an employee to remain at the work or on a job site (however, teleworking is OK) for at least 10 days or until they receive two consecutive negative tests;
  • Ensure that sick leave policies are flexible and consistent with public health guidance and that employees are aware of these policies; and
  • Notify all coworkers of an employee who has (1) been in the office in the last 14 days and (2) tests positive – within 24 hours of discovery of their possible exposure – without revealing the identity of the positive employee. The employer must also notify other employers who work in the same building and the building/facility owner. Further, the employer must keep confidential the identity of the known COVID-19 person in accordance with the requirements of the Americans with Disabilities Act (ADA) and other applicable Virginia laws and regulations.

While each of these requirements will require changes to the workplace environment, along with updates to policies, procedures, and processes, the last bullet point creates an especially challenging privacy obligation, particularly for small businesses or small offices, but also for larger operations with multiple offices. For example, let’s say an employer is notified that John Doe tests positive in an office of 10 people. John Doe has also traveled to two other offices in the state within the 14-day window. The employer must now notify the employees of all three offices, other employers in those three offices, and each of the building/facility owners of those offices.

These disclosures must also be made without disclosing the identity of the individual who tested positive. It is easy to think of a scenario where implicitly revealing the identity of a person who tests positive will be unavoidable. Even in a larger office, if John Doe is normally at work every day, is suddenly absent, and within 24 hours the employer announces that an employee has tested positive, it will implicitly reveal that it was John Doe. This is particularly true given the duration that John Doe will have to remain out of the office even if asymptomatic after testing positive.

Given this regulation’s potential conflict with medical privacy laws, ADA regulations, and other applicable Virginia laws and regulations, businesses will need to implement these requirements while keeping these very complex privacy issues in mind. At a minimum, businesses should do their best to minimize these instances of implicitly revealing a diagnosis to the extent they can.

Privacy and Faith-Based Institutions: Does Your Church Need a Privacy Policy?While most state privacy laws exempt non-profit organizations, it is a best practice for churches and faith-based organizations to have a privacy policy informing members about how their personal information is handled. It is especially important to note that faith-based non-profit organizations are not exempt from compliance with the General Data Protection Regulation (GDPR) — adopted by the European Union in 2018 to protect the data and privacy of EU citizens. So if your church processes any data of  EU citizens, it must comply with the GDPR.

The relationship between church leadership and its members is grounded in trust. Members trust church leaders with some of the most sacred and private details of their lives. They also trust church leadership to be good stewards of the church’s resources; one of these resources is personal data.

Churches collect and maintain information that may be classified as personally identifiable information from members and visitors such as membership records (names, phone numbers, addresses, email addresses, household member information), counseling appointments and notes, and financial information. Not unlike any other business, churches now use technology for:

  • Online and mobile giving
  • Email newsletter signup
  • Email “Contact Us” options
  • Purchases from online bookstores and resource centers
  • Event registration

But it’s not just about technology. The data collected on traditional giving envelopes and visitor cards also includes personal information that is often transferred to the church’s database.

Careful management of data collected by churches is important to avoid inappropriate disclosures and potential lawsuits. A privacy policy is a promise from churches informing members about how their personal information is collected, used, and stored.  Along with all of the other ways members trust their church leaders, a privacy policy can reinforce trust that the church is being a good steward of its data resources. The members can rest assured that their personal information will be handled with privacy, security, confidentiality, and accountability.

This article covers only the importance of providing a privacy policy to church members. It does not cover the various means of protecting personal information communicated through the privacy policy. Privacy policies should be carefully drafted because regulators and courts often treat them as enforceable promises.

Prepare Now For Sharing of and Access to Electronic Health Information: Cures Act Information Blocking and Interoperability Rules Take Effect June 30, 2020The U.S. Department of Health and Human Services (HHS) issued companion regulations advancing the interoperability of and patient access to electronic health information under the 21st Century Cures Act that will take effect June 30, 2020, with a compliance date of November 2, 2020. Now is the time to learn what the Information Blocking Rule will require and begin the work with stakeholders to establish new practices for advancing interoperability goals safely and securely. Read further for insight from Bradley attorneys on some initial steps for healthcare organizations and health IT developers to get started.