Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act

On September 13, 2019, the California Senate and Assembly unanimously passed an amendment to the California Consumer Privacy Act (“CCPA”) that places onerous obligations on employers and entitles employees to statutory damages for data breaches.  The landmark measure—AB 25—awaits Governor Newsom’s signature (or veto).  Regardless of whether AB 25 is signed into law, CCPA applies to employee data and employers have until January 1, 2020 to comply.  This article explores how the California Consumer Privacy Act impacts existing employee privacy rights and how employers can begin to develop a holistic privacy compliance program.

Continue Reading

CFIUS Proposes Rules to Implement FIRRMA

Key Takeaways:

  • Technology Infrastructure and Data. CFIUS will focus its review on investments in critical Technology, critical Infrastructure, and sensitive personal Data (“TID Businesses”).
    • Critical technologies is defined to include certain items subject to export controls along with emerging and foundational technologies under the Export Control Reform Act of 2018.
    • CFIUS provides a very helpful list of critical infrastructure and functions to help assess whether any business is a TID Business. We reproduce most of this list at the end of this blog article. (Sneak preview: telecom, utilities, energy, and transportation dominate the list.)
    • The proposed regulations provide much-needed guidance on what constitutes sensitive personal data and also seek to limit the reach of the definition so it does not cast too wide a net over transactions in which CFIUS really should have no national security concern.
  • Exceptions for Certain Countries. Investors from certain countries may be excepted from CFIUS jurisdiction when making non-controlling investments.
  • New Set of Rules for Real Estate. In a companion piece, CFIUS proposed for the first time a detailed set of rules related to investments in real estate. We will cover this in a separate blog article to be published in the near future.
  • Expansion of Short-Form Declaration Use. The proposed rules provide parties the choice to use a short-form declaration for any transaction under CFIUS jurisdiction in lieu of a long-form notice.
  • Comments Due by October 17, 2019. Members of the public may submit comments on the proposed regulations any time between now and October 17, 2019. Final regulations must be adopted by CFIUS and become effective no later than February 13, 2020.

Continue Reading

French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data

CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, the CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. The CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR. Continue Reading

The Benefits of the International Commercial Courts of Paris in French-American Commercial Litigations

On February 7, 2018, the Commercial and Appellate Courts of Paris officialized the creation, for each of them, of a chamber dedicated to resolving international commercial litigations. These chambers are known as the International Commercial Courts of Paris (the “ICCP”).

Proceedings before the ICCP have been revised recently to better meet the specific needs of foreign parties involved in international commercial litigations taking place in Paris, in a move to strengthen foreign investments in France, especially in the context of Brexit with a commercial litigation market that represented in 2016 $17.2 billion in the United Kingdom. Continue Reading

Revised EIN Application Process Permits only Individuals to Serve as the “Responsible Party”

An entity operating in the U.S. needs a U.S. Federal employer identification numbers (“EIN”) in order to open a bank account in the United States, act as an employer, file a tax return and complete certain other corporate tasks.

As of May 13, 2019, entities, other than governmental entities, applying for an EIN must list an individual as the responsible party on the application and in some instances must provide that individual’s Social Security number (SSN) or individual taxpayer identification number (ITIN). Prior to this, common practice had been to list an entity that already had an EIN (such as a parent entity) as the responsible party. Continue Reading

The Little Regulation That Will Make a Big Change in How You Do Business: Department of Commerce to Establish New Export Controls on Emerging Technologies

Key Takeaways:

  • Emerging technology sectors will soon be subject to new export controls.
  • Affected sectors include biotech, computing, artificial intelligence, positioning and navigation, data analytics, additive manufacturing, robotics, brain-machine interface, advanced materials, and surveillance.
  • New export controls on these sectors will likely require companies to obtain a license to export products to China and other destinations, and impose restrictions on sharing information with foreign nationals.
  • These sectors will also be added the list of industries subject to enhanced foreign investment scrutiny by the U.S. Committee on Foreign Investment in the United States (CFIUS).
  • The U.S. government has invited comments on the criteria to be used to establish new controls. The deadline for comments is December 19, 2018.

Export controls and other regulations often lag a step or two behind the times. That trend has accelerated with the pace of technological advancement. As a result, for many years, technical know-how in many cutting-edge technical fields has not been subject to export controls. This has meant that many commercial technical innovations could be freely exported without significant restrictions. As long as they were not designed for a military application, and no encryption technology involved, many new ideas developed in the United States were simply unaccounted for in the U.S. Export Administration Regulations (EAR).

But the U.S. Department of Commerce, Bureau of Industry and Security (BIS) is about to make up a lot of ground in a single, large leap. Continue Reading

Hiring Personnel in New York: Dos and Don’ts – Part 2

Part II: Offer Letters and Background Checks

In a previous article, we addressed certain pitfalls for numerous foreign employers seeking to hire personnel in New York State (see Part 1 regarding advertising and interviewing for a job). This article is the second and last in a two-part series, which will now discuss sensitive New York laws concerning (1) offer letters and (2) background checks.

Drafting an Offer Letter

Once an employer has decided to extend an offer of employment to an applicant, many use offer letters to communicate key terms of employment for the candidate’s consideration. Offer letters are a valuable tool in setting expectations and creating a relationship with a prospective employee. If not carefully drafted, however, offer letters can also be construed as an employment contract or agreement for a fixed term of employment, creating unintended obligations on the employer’s behalf. In New York, the default employment relationship is “at will,” meaning that either the employee or the employer can terminate the relationship at any time, with or without cause and with or without notice. To preserve this relationship status while accurately describing employment terms, employers should observe the following basic requirements when drafting offer letters: Continue Reading

Dramatic Increase in French Privacy Complaints Since GDPR

The French data protection authority CNIL has received 3,767 data protection complaints since EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. According to CNIL this is a 64 percent increase compared to the same four-month period last year. CNIL also reported that it has received 600 data breach notifications during the same period. CNIL is in the process of developing new French regulatory tools under GDPR. It has already developed and proposed strict new biometric privacy regulations, and has nearly finalized a certification program for company Data Protection Officers. It is now developing regulations related to customer relations, human resources, and health monitoring. Continue Reading

France Imposes Fine for Unauthorized Use of Fingerprint Timeclocks

French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French Data Protection Act. In France, an employer may not use biometric data to monitor employees’ hours absent prior approval from CNIL, which is only granted in exceptional circumstances. During the 2016 audit, CNIL also found that the company was recording employee phone calls without informing the employees or other call participants, and lacked adequate workstation security. While the company has since ceased the use of fingerprint timeclocks, a 2018 audit by CNIL revealed that the company had failed to properly inform telephone call participants about call recording, and that workstations remained insecure. The fine was set at € 10,000, which was based upon the partial compliance of the company and its finances. The company only employs fourteen workers. In publishing its decision, CNIL stated that it sought to remind employees of their rights and employers of their obligations, particularly with respect to biometrics in the workplace. CNIL also intended to remind companies of the consequences for failing to respond to and comply with CNIL notices of default. Continue Reading

LexBlog