Introducing… the Global Privacy ControlOne of the most reoccurring questions we’ve gotten from companies subject to CCPA that have a “Do Not Sell” link has been “What the heck do we do about this global privacy control?” Up until now, there wasn’t a clear, or even semi-helpful, answer to that question that didn’t involve a fair amount of guesswork. We now have our answer — the aptly named “global privacy control” — but what exactly does it mean?

This concept of “user-enabled global privacy controls” was introduced in the CCPA regulations and left companies scratching their heads as to what it meant. Specifically, Section 999.315(c) states:

If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

The use of the word “shall” coupled with the seemingly unascertainable scope of this provision understandably got the attention of those tasked with CCPA compliance. Based on a literal reading, a business has to somehow monitor for the development of any type of mechanism that might provide an opt-out and recognize it or risk being considered non-compliant with CCPA. One caveat, subsection (1), provided that “[a]ny privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information.” So, businesses only have to monitor for every possible mechanism that “clearly” communicates or signals an intention. This was an added revision made to the original draft regulations, so presumably the regulators see this as a meaningful limitation. Nevertheless, there remains no apparent limitation on a business’ obligation to proactively monitor for highly technical implementations that a business may have no internal capability to address, even if it identifies such a global privacy control. For those wrestling with this dilemma there was a temporary measure of comfort. Specifically, in the Final Statement of Reasons for the CCPA Regulations, the OAG stated that the subsection cited above “is forward-looking and intended to encourage innovation and the development of technological solutions to facilitate and govern the submission of requests to opt-out” (see FSOR at p. 37). So we knew, at the very least, the OAG had no signals in mind at the time and businesses were not expected to be processing any.

Unfortunately, it would appear that the window of comfort is coming to a close. A number of organizations, including the likes of DuckDuckGo, the Electronic Freedom Frontiers, Mozilla, the NY Times and the Washington Post, are implementing the aptly named “global privacy control” (GPC) specification. This specification explicitly references this provision of the CCPA regulations stating “[t]he GPC signal will be intended to communicate a Do Not Sell request from a global privacy control, as per CCPA-REGULATIONS §999.315.” Given the express intent and the industry players involved, it would appear that this is the first foray into the user-enabled global privacy control. Businesses that have a “Do Not Sell” link should take note and begin to determine how they can comply.

Even though this one has cornered the market on the name, it is highly doubtful this will be the last user-enabled control to signal a user’s intent to opt-out, so businesses need to dedicate resources to addressing this evolving issue.

Governor Approves CCPA Amendment to Further Except Healthcare and Research InformationGov. Gavin Newsom recently approved A.B. 713, a bill that creates further CCPA exceptions for healthcare and research information. The bill is especially potent in the COVID-19 era where the need for medical research is greater than ever.

A.B. 713 presents a few notable changes from prior versions of the CCPA. First, the amendment expands the prior exemption for clinical trials to now include information that is collected, used, or disclosed in “research.” Research is broadly defined in Section 164.501 of HIPAA as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

Second, the amendment expressly exempts information that is deidentified pursuant to either the expert determination method or safe harbor method provided for in Section 164.514 of HIPAA. It is also a requirement that the information is “collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.” Furthermore, an entity that sells or discloses deidentified patient information must disclose in its online privacy policy which method was used to deidentify the information.

Third, the amendment makes clear that information that is “reidentified shall no longer be eligible for the exemption” except under the following circumstances:

  • Treatment, payment, or healthcare operations conducted by a covered entity or business association acting in accordance with HIPAA;
  • Research, as defined in Section 164.501 of HIPAA, that is consistent with the Common Rule;
  • Public health activities as described in Section 164.512 of HIPAA;
  • Pursuant to contract; or
  • If otherwise required by law.

Finally, the amendment provides that beginning January 1, 2021, any contract for the sale or license of deidentified information must include language that (1) the information being sold or licensed includes deidentified information; (2) a statement that reidentification is prohibited; and (3) a statement that the purchaser or licensee may not further disclose the deidentified information to a third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

In a time of unprecedented changes, expect to see additional developments in state privacy laws —especially privacy laws that concern healthcare. Stay informed as we continue to monitor those developments.

Threats, Harassment, and Contact Tracing: Why Privacy Programs are Expanding to Protect Health Care WorkersBack in March we wrote about Address Confidentiality Programs (ACPs) as the “high stakes compliance risk you probably haven’t heard of.” These state-sponsored programs were traditionally designed to protect victims of crimes such as domestic abuse, sexual assault, stalking, or human trafficking from perpetrators who seek to find and harm their victims. Since that first post a lot has changed, namely COVID-19, the nation’s divisive stance on masks, and attitudes toward public health officials.

Nationwide, at least 61 state or local health leaders in 27 states have resigned, retired, or been fired since April 2020, according to U.S. News. The same report noted that 13 of those departures were in California, including 11 county health officials and California’s top two public health officials. A contributing factor to this exodus of leaders is that health officials are facing an increasing amount of harassment, and even threats of violence, for their work on issues such as contact tracing and COVID-19 containment strategies.

It is in the midst of this volatile healthcare environment that, on Wednesday, September 23, 2020, California expanded its ACP to include not just victims of domestic abuse, but also local health officers and other public health officials. This new expansion of the law allows these frontline workers to hide their addresses from the public in order to protect them from possible threats or violence.

Gov. Gavin Newsom’s Executive Order noted that “local health officers and other public health officials protecting public health during the COVID-19 pandemic have been subject to threats and other harassment including threats and harassment target at their places of residence, which threatens to chill the performance of their critical duties.” The Executive Order directs California Secretary of State Alex Padialla to establish a procedure to allow public health officials to participate in the California Safe at Home Confidential Address Program.

This shift is a significant milestone in expanding privacy rights of vulnerable populations, particularly when that vulnerability is a product of evolving public sentiment toward a particular group of people. ACPs shield home, work, and school addresses from public record searches and FOIA. Nationwide, about 41 states have some form of ACP. Most states restrict disclosure from public records, but seven states actually prohibit private companies from disclosing location information as well.

ACPs operate by providing alternate addresses for participants to use in place of their actual address. These designated addresses divert participants’ mail to a confidential third-party location (often a P.O. Box and/or a “lot number”), after which a state agency forwards the mail to the participant’s actual address.

As healthcare workers continue to battle on the front lines of the pandemic, it will be interesting to see if other states follow California’s lead. In the meantime, it is important to pay close attention to often-missed state privacy laws, such as ACPs. As the privacy landscape continues to evolve, these laws will continue to create a patchwork of regulations in the absence of sweeping federal privacy legislation. For now, California healthcare workers are now on the list of individuals whose privacy – and safety – often remain dependent on policy implementation at the state level.

Continue to look for further updates and alerts from Bradley on state privacy rights and obligations.

Schrems II, Part 2 — Additional Guidance for the Transfer of Personal Data Between the EU and U.S.Additional Impacts of the Invalidation of the EU-U.S. Privacy Shield

As previously advised, on July 16, 2020, the Court of Justice of the European Union (CJEU) issued a lengthy and detailed opinion invalidating the EU-U.S. Privacy Shield. The decision required immediate changes in the transfer of “personal data” between the European Union (EU) and the United States.

EU – U.S. Personal Data Protection

The General Data Protection Regulation (GDPR) was approved by the EU in 2016 and dramatically enhanced protections for EU personal data, including:

  • Requiring clear plain language for individual consents.
  • The right to the details of the use and processing of personal data.
  • The right to receive a copy of all personal data in a “commonly used and machine-readable format” – and to even have such provided to competitive parties.
  • The “the right to be forgotten” by the erasure, or termination of search links.
  • Notification of a breach within 72 hours.

The GDPR limits transfers of personal data of EU citizens outside the EU to only those countries that have the same level of data protection as the EU. Until the Schrems I and II decisions, businesses could transfer EU personal data into the U.S. under government-defined data protection regimes called the EU-U.S. Safe Harbor, and later the Privacy Shield.

EU Challenges to U.S. Privacy Protections

The U.S. Safe Harbor was initially challenged and invalidated by the CJEU in a case against Facebook, commonly referred to as “Schrems I.” Schrems brought a second action challenging the suitability of the EU-U.S. Privacy Shield, which was created to address the Safe Harbor issues. The CJEU’s July 16 “Schrems II” opinion invalidated the Privacy Shield but left open the use of GDPR “standard contractual clauses.”

Schrems II generally follows Schrems I in finding that there are insufficient protections against U.S. intelligence and/or law enforcement agencies obtaining personal data of EU citizens. The most significant difference is that Schrems II recognized privacy as a fundamental right of EU citizens – tantamount to an individual liberty protected by the U.S. Bill of Rights. It is this aspect of the Schrems II decision that is now generating additional guidance by EU data privacy agencies (DPAs) and enforcers, which further impacts how businesses can transfer personal data of EU data subjects going forward.

Various U.S. and EU officials initially made announcements that contractual GDPR privacy protection clauses – called “standard contractual clauses” – could still be used for the transfer of personal data between the EU and the U.S. Unfortunately, EU DPAs and EU enforcement officials are now issuing guidance advising that changes will be required in standard contractual clauses to protect the fundamental privacy right of EU citizens delineated in Schrems II from the perceived privacy threat from U.S. intelligence and law enforcement agencies.

Standard Contractual Clauses Guidance

Many U.S. businesses have utilized standard contractual clauses for the transfer of personal data from the EU. While the Schrems II opinion did not expressly invalidate the use of standard contractual clauses, it did establish that EU supervisory authorities are obliged to assess the compliance of such clauses within non-EU countries.

Immediately following Schrems II, the Data Protection Commission in Ireland and Federal Commissioner for Data Protection in Hamburg, Germany issued pronouncements questioning the adequacy of standard contractual clauses for transfers of existing EU personal data to the U.S.

On August 24 the DPA for Baden-Württemberg, Germany issued additional guidance on protections needed in standard contractual clauses for transfers of EU personal data to the U.S. More specifically, the German DPA recommended that standard contractual clauses for transfers from the EU to the U.S. include 1) the use of encryption where “only the data exporter has the key and which cannot be broken by US intelligence services;” and 2) anonymization of personal data that can only be correlated back to the data subject by the data exporter. The German DPA even provided a compliance checklist of recommendations, which mirrors recommendations that Bradley has previously provided to minimize cybersecurity risks:

  • Maintain a detailed schedule of data, data transfers and data locations – i.e., use of data maps.
  • Communicate the impact and effects of Schrems II with all service providers – i.e., proactively communicate compliance and contractual requirements to service providers to assure regulatory compliance and delineate contractual responsibility.
  • Research applicable local and federal laws in other jurisdictions – i.e., harmonize regulatory compliance and contractual responsibility where possible.
  • Determine whether a non-EU country has been found inadequate by the EU – i.e., keep current on the ever-changing cyber and privacy requirements of applicable jurisdictions.
  • Determine whether standard contractual clauses must be modified due to inadequate protections of a non-EU country – i.e., assure regulatory compliance and contractual responsibility with multi-jurisdictional requirements.

The Belgium DPA issued similar guidance on August 31, and other EU DPAs are likely to issue additional guidance in the coming months. We will continue to monitor for such announcements and provide updates accordingly.

In addition to the actions and guidance from EU regulators, there is already an effort to address the issue from a U.S. federal regulatory perspective. On September 3, the EU Justice Commissioner, speaking on behalf of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, advised that the EU is working with the U.S. to develop solutions for required protections – though from a U.S. perspective no action is likely until after the U.S. election in November.

Immediate Recommendations

  • Personal data transfers from the EU to the U.S. based solely on the EU-U.S. Privacy Shield must be suspended.
  • Personal data transfers involving Germany that are based on pre-existing standard contractual clauses should be suspended until clauses can be revised to reflect the guidance of the Baden-Württemberg DPA.
  • Continue to amend standard contractual clauses as required to comply with additional guidance from other EU DPAs.

Continue to look for further updates and alerts from Bradley to remain compliant with the collection, use, storage and transfer of personal data from the EU.

David Vance Lucas is a member of Bradley’s Intellectual Property and Cybersecurity and Privacy practice groups and leads the International and Cross Border team. Much of David’s experience was accumulated as general counsel for a multinational technology company. He now advises both U.S. and foreign clients on the harmonized application of U.S., U.K. and European laws, and represents clients in various legal proceedings in U.S. and foreign venues.

Gaining Momentum Outside California: Former Presidential Candidate Named Chair of CPRA Advocacy Group Advisory BoardWhen California voters head to the polls on November 3, 2020, they will decide whether to approve Proposition 24 — the California Privacy Rights Act (CPRA). If approved, the act would establish new privacy rights stronger than the recently enacted landmark California Consumer Privacy Act (CCPA).

Last week, the effort to approve the CPRA gained a prominent supporter as former Democratic Party presidential candidate Andrew Yang was named chair of the advisory board for Californians for Consumer Privacy, an organization that created and led the effort to enact the CCPA and is now advocating for the approval of the CPRA. Yang, who is an entrepreneur and was originally a corporate lawyer, began working in startups and early-stage growth companies as a founder or executive from 2000 to 2009. In 2011, he founded a nonprofit organization focused on creating jobs in cities struggling to recover from the Great Recession. He then ran as a candidate in the 2020 Democratic presidential primaries.

The CPRA would amend the CCPA and create new privacy rights and obligations in California, including:

  • The CPRA would establish a new category of “sensitive personal information,” which would be defined, among other things, to include a Social Security number, driver’s license number, geolocation and passport number.
  • The CPRA would grant California consumers the right to request the correction of their personal information held by a business if that information is inaccurate.
  • The CPRA would establish the California Privacy Protection Agency to enforce the law. The CCPA, by contrast, is enforceable by the California Attorney General’s Office.

Continue to look for further updates and alerts from Bradley on California privacy rights and obligations.

3 Cyber Insurance Steps Critical to Cyber-Risk ManagementCyber-related privacy and security risks continue to evolve like the hydra from Greek mythology. Once one threat has been addressed, two new threats seem to appear. Even the most well-prepared among us must remain vigilant in the war to maintain data security. And any business – no matter how large or small – needs a protocol for action when a cyber incident occurs.

Insurance coverage for cyber risks is a critical component of cyber risk management. Why?  Simply put, the aftermath of a cyber incident may threaten the continued viability of your business because it can require substantial financial resources and time away from your core mission.

When a cyber incident occurs, a business must act quickly on several fronts, namely (1) taking the actions needed to keep the business running (“first-party” costs) – such as restoring access to your data through computer forensics or arranging for payment of a ransom – and (2) taking the actions required by law (“third-party” costs) – such as notifying your customers, suppliers, partners, or employees of a privacy breach and responding to any legal actions for damages. A cyber incident may require one or all of the following:

  • A forensic investigation to find and fix the vulnerability that caused the data breach and determine whose personally identifiable information may have been compromised;
  • Restoration of damaged computer systems, hardware, software, and data;
  • Legal advice on privacy law requirements;
  • Notification of third parties and other costs such as monitoring credit, setting up a call center for questions, and restoring stolen identities;
  • Crisis management, including public relations assistance;
  • Liability to third parties for damages caused by the breach;
  • Fines and penalties imposed by government regulators;
  • Fines and penalties imposed by credit card issuers and servicers;
  • Loss of business income due to downtime caused by the cyber incident and extra expenses to mitigate downtime; and
  • Losses from computer fraud.

A comprehensive cyber insurance policy will contain the key insuring agreements to protect against these potential liabilities and losses arising from a data breach.

Steps to Cyber Insurance Security

Step 1: Review your current coverage. Traditional insurance policies covering commercial general liability (CGL), crime, or business property may contain certain cyber coverages by endorsement. While some insurers have begun to integrate more cyber coverages into traditional policies, this piecemeal approach is typically inadequate. A comprehensive stand-alone cyber policy with sufficient limits is best. It is always worth asking what the additional premium would be to obtain the highest limit that is affordable and commensurate with your assessment of the risks.

Step 2: Mind the gaps. Even a “comprehensive” cyber policy can vary significantly from insurer to insurer. Therefore, review of your policies should include identifying any potential gaps in coverage. One of the first published cases interpreting a cyber policy illustrates this point.  When hackers accessed 60,000 credit card numbers in P.F. Chang’s customer database, the restaurant chain’s cyber policy covered the $1.7 million in costs to determine the cause of the data breach and defend the company against customer lawsuits (PF Chang’s v. Federal Ins. Co., No. CV-15-01322 (D. Ariz. 2016)). Unfortunately, P.F. Chang’s cyber policy did not cover the nearly $2 million in expenses imposed by credit card issuers to pay for notifications to cardholders and reissuance of credit cards compromised by the breach. Policyholder coverage counsel can review the terms and conditions of your cyber coverage to identify any gaps.

Insurers are still grappling with some of the technical aspects of wording cyber coverage. For example, a company may discover that it can no longer utilize its computer systems or access its electronic information and simultaneously or thereafter receive a demand for a ransom in order to regain access. Yet the “cyber extortion” coverage in some policies requires a credible threat to interrupt, corrupt or destroy your computer system. A claims adjuster may unfairly attempt to interpret such policy language as requiring a threat from an attacker prior to the actual attack.  Your insurance broker or agent can inquire about how your insurer interprets ambiguous wording.

Step 3: When a cyber incident occurs, notify your insurance carriers ASAP. All insurance policies include notification provisions that set out the requirements for notice. Notice is typically required immediately or “as soon as practicable.”  Compliance is important to avoid a “late notice” defense and preserve your coverage. The policy’s “conditions” may include additional requirements for coverage, such as pre-approval of payment of a ransom. In addition, most cyber insurers have a team of experienced experts at the ready to help mitigate your losses and manage your response to the cyber incident. Some insurers require use of legal counsel and other vendors from a pre-approved list; however, many insurers will accommodate a different choice.

Ultimately, even the most advanced data security measures are not foolproof.  The question is not whether a cyber incident will occur, but how your business will respond when it does. Cyber insurance is an indispensable quiver in your arsenal.

As technology and business rapidly evolve, state and federal government agencies are continually introducing new data privacy regulations that businesses need to be aware of. To address this ever-changing landscape, we are pleased to introduce our new blog—Online & On Point—to provide commentary, updates, and insight on the developments that could have an impact on businesses as they seek to remain in compliance with privacy laws, serve their customers, and to mitigate risk. Our goal is to make Online & On Point a valuable resource for our clients and businesses affected by data privacy regulations across industries.

Bradley’s Cybersecurity and Privacy team includes 40+ cross-disciplinary attorneys with deep experience in the fields of cybersecurity, data security, privacy, and emerging technologies. Our team will analyze important cases, regulations and developments, will assess their importance, and will work to provide information relevant to you. You can expect to hear from us at least twice a month on topics such as:

  • The California Consumer Privacy Act (CCPA), the California Privacy Rights and Enforcement Act (CPRA), and other states’ efforts to enact similar regulations
  • Federal privacy regulations
  • International privacy laws including General Data Protection Regulation (GDPR)
  • ADA website compliance
  • Privacy due diligence in M&A and vendor onboarding
  • Educational privacy obligations and best practices
  • Children’s privacy
  • Health technology and privacy
  • Data breach and incident response
  • Privacy litigation

You are invited to review Online & On Point to read about significant regulatory developments and other topics related to cybersecurity and data protection. To make sure you don’t miss updates, subscribe to receive our posts via email.

If you have any questions or suggestions for Online & On Point, please contact us.

Sincerely,

Elizabeth Boone, Daniel Paulson, Erin Illman and Amy Leopard, Editors

Impacts of the European Union invalidation of the EU-U.S. Privacy Shield

Initial Guidance for the Transfer of Personal Data between the European Union and the United States

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a very lengthy and detailed opinion invalidating the EU-US Privacy Shield (Decision 2016/1250), thereby requiring an immediate re-assessment of transfers of Personal Data between the European Union (EU) and the United States.

History of EU – U.S. Personal Data and Privacy Protection

The General Data Protection Regulation (GDPR) was approved by the EU in 2016 and replaced the 1995 EU Data Protection Directive 95/46/EC. GDPR expanded privacy protections and provided for the imposition of heavy fines for violations of such – which have since been levied on several notable U.S. technology companies. GDPR was intended to update and harmonize EU data privacy laws with regard to the protection of Personal Data enumerated in GDPR. Personal Data has since been construed to mean any information relating to an identified or identifiable natural person, referred to as a Data Subject. Critical GDPR protections include:

  • Requiring that consents be provided in clear plain language – think U.S. liability disclaimers.
  • The right to obtain details regarding the use and processing of Personal Data.
  • The right of “data portability” – to receive a copy in a “commonly used and machine readable format,” or to have such transmitted to another party.
  • The “the right to be forgotten” – the erasure, or termination of dissemination or links.
  • Notification of a breach within 72 hours.

Significantly, Article 44 of GDPR only permits transfers of the Personal Data of EU citizens outside the EU if the level of data protection in the country in which the data will be transferred is comparable to that of the EU. Historically, businesses could transfer EU Personal Data into the U.S. under an agreed upon data protection regime called the EU-U.S. Safe Harbor.

Legal Challenges to U.S. Data Protections

The U.S. Safe Harbor protections were challenged and invalidated by the CJEU in a case brought by Max Schrems, an Austrian lawyer and data protection activist against Facebook, which is commonly referred to as “Schrems I.” In response to the invalidation of the EU-U.S. Safe Harbor, and to facilitate the continued transfer of Personal Data to the U.S., the EU and U.S. established additional privacy protections under a regime call the EU-U.S. Privacy Shield.

Schrems brought a second action challenging the suitability of the protections under the EU-U.S. Privacy Shield, which is the basis for the CJEU’s July 16 opinion invalidating the EU-U.S. Privacy Shield – already being dubbed “Schrems II.”

While the Schrems II decision clearly follows on Schrems I, it acknowledges a more fundamental basis for the privacy rights of EU citizens – tantamount to a personal liberty protected by the U.S. Bill of Rights. It is this aspect of the Schrems II decision that may have broader implications beyond the EU-U.S. Privacy Shield and how businesses will need to protect Personal Data of EU Data Subjects going forward. The significance of this issue to data driven business cannot be understated.

As an acknowledgement of the commercial significance of data transfers, the U.S. Secretary of Commerce issued an announcement on the invalidation of the EU-U.S. Privacy Shield. The U.S. Secretary of Commerce announcement and other similar announcements have tried to calm commercial concerns by focusing on the invalidation of the EU-U.S. Privacy Shield – and implying that contractual privacy protection clauses can still be used to continue the transfer of Personal Data between the EU and the U.S. While such is true in the short term, the broader EU privacy rights issue raised in Schrems II necessarily requires a more detailed assessment of suitable U.S. protections going forward.

Standard (Privacy) Contractual Clauses at Risk

As background, most businesses have utilized contractual privacy protection clauses, referred to as Standard Contractual Clauses for the transfer of covered Personal Data. Standard Contractual Clauses were promulgated and generally sanctioned by EU Data Protection offices for use with data processors located in non-EU countries.

While the CJEU Schrems II opinion did not expressly invalidate the use of Standard Contractual Clauses, it did establish that EU supervisory authorities are obliged to assess the compliance of such clauses in non-EU countries – such as the U.S. The Data Protection Commission in Ireland and Federal Commissioner for Data Protection in Germany have already issued announcements specifically questioning the adequacy of Standard Contractual Clauses for proposed transfers of Personal Data of EU Data Subjects into the U.S. Other EU Data Protection offices will likely follow suit. We will continue to monitor for such announcements and provide updates accordingly.

Immediate Effects

  • Covered Personal Data transfers from the EU to the U.S. based solely on the EU-U.S. Privacy Shield must be suspended – or subject the responsible parties to GDPR enforcement and fines.
  • Covered Personal Data transfers and related operations involving the U.S. should be evaluated for possible interim use and coverage under Standard Contractual Clauses.

Additional guidance is likely to follow from the EU and EU member state Data Protection offices on the suitability or requirements for the use of Standard Contractual Clauses. There will also likely be a renewed effort for a U.S. federal regulatory solution – with a possible federal preemption – to address the requirements of GDPR as established in Schrems II.

Continue to look for further updates and alerts from Bradley on practices needed to remain compliant with the collection, use, storage and transfer of Personal Data in the US and abroad.

A New Privacy Headache: Virginia’s COVID-19 Workplace Safety Rule is Poised to Impact PrivacyOn July 15, 2020, the state of Virginia adopted the first of its kind COVID-19 workplace safety mandate. Propelled by months of inaction from a federal agency tasked with nationwide enforcement of workplace safety relating to COVID-19, Virginia’s Safety and Health Codes Board adopted an emergency regulation designed to establish requirements for employers to control, prevent and mitigate the spread of the virus. The new regulation applies to every employer, employee, and place of employment in the Commonwealth of Virginia within the jurisdiction of the Virginia Occupational Safety and Health program.

All employers are now required to:

  • Assess their workplace for hazards and job tasks that can potentially expose employees to COVID-19;
  • Classify employees according to the hazards they are potentially exposed to and the job tasks they undertake and ensure compliance with the “very high,” “high,” “medium,” or “lower” risk levels of exposure as designated in the regulation;
  • Inform employees of the methods of and encourage employees to self-monitor for signs and symptoms of COVID-19 if they suspect possible exposure or are experiencing signs of an oncoming illness;
  • Develop and implement policies and procedures to address a situation where the employer is notified that an employee has tested positive for COVID-19 antibodies or live virus;
  • Develop and implement policies and procedures for employees to report when they are experiencing symptoms consistent with COVID-19;
  • Prohibit known COVID-19 or suspected COVID-19 employees or other persons from reporting to work or allowing an employee to remain at the work or on a job site (however, teleworking is OK) for at least 10 days or until they receive two consecutive negative tests;
  • Ensure that sick leave policies are flexible and consistent with public health guidance and that employees are aware of these policies; and
  • Notify all coworkers of an employee who has (1) been in the office in the last 14 days and (2) tests positive – within 24 hours of discovery of their possible exposure – without revealing the identity of the positive employee. The employer must also notify other employers who work in the same building and the building/facility owner. Further, the employer must keep confidential the identity of the known COVID-19 person in accordance with the requirements of the Americans with Disabilities Act (ADA) and other applicable Virginia laws and regulations.

While each of these requirements will require changes to the workplace environment, along with updates to policies, procedures, and processes, the last bullet point creates an especially challenging privacy obligation, particularly for small businesses or small offices, but also for larger operations with multiple offices. For example, let’s say an employer is notified that John Doe tests positive in an office of 10 people. John Doe has also traveled to two other offices in the state within the 14-day window. The employer must now notify the employees of all three offices, other employers in those three offices, and each of the building/facility owners of those offices.

These disclosures must also be made without disclosing the identity of the individual who tested positive. It is easy to think of a scenario where implicitly revealing the identity of a person who tests positive will be unavoidable. Even in a larger office, if John Doe is normally at work every day, is suddenly absent, and within 24 hours the employer announces that an employee has tested positive, it will implicitly reveal that it was John Doe. This is particularly true given the duration that John Doe will have to remain out of the office even if asymptomatic after testing positive.

Given this regulation’s potential conflict with medical privacy laws, ADA regulations, and other applicable Virginia laws and regulations, businesses will need to implement these requirements while keeping these very complex privacy issues in mind. At a minimum, businesses should do their best to minimize these instances of implicitly revealing a diagnosis to the extent they can.

Prepare Now For Sharing of and Access to Electronic Health Information: Cures Act Information Blocking and Interoperability Rules Take Effect June 30, 2020The U.S. Department of Health and Human Services (HHS) issued companion regulations advancing the interoperability of and patient access to electronic health information under the 21st Century Cures Act that will take effect June 30, 2020, with a compliance date of November 2, 2020. Now is the time to learn what the Information Blocking Rule will require and begin the work with stakeholders to establish new practices for advancing interoperability goals safely and securely. Read further for insight from Bradley attorneys on some initial steps for healthcare organizations and health IT developers to get started.