As featured in #WorkforceWednesday: News that a potential COVID-19 vaccine could be imminent brings employers to their next challenge: workplace vaccine policies and procedures. Attorneys Jennifer Barna and Nathaniel M. Glasser tell us more. You can also read about the issues in Business Insider (subscription required).
The rising number of COVID-19 cases in New Jersey has prompted Governor Phil Murphy to issue two new Executive Orders aimed at tightening restrictions on businesses and activities, with a goal of slowing the spread of the virus: (1) Executive Order 194 (“EO 194”) sets limits on indoor operations for bars/restaurants, prohibits indoor interstate youth sports competitions, and clarifies occupancy limits for personal care services; and (2) Executive Order 196 (“EO 196”) tightens prior restrictions on indoor and outdoor gatherings.
EO 194, which became effective November 12, 2020, requires bars and restaurants to close indoor operations to the public from 10:00 p.m. to 5:00 a.m., but permits them to operate their full range of normal business hours for outdoor dining and food delivery and/or takeout services. Casinos may continue to operate but must stop indoor food and beverage service between 10:00 p.m. and 5:00 a.m., including on casino floors. Similarly, indoor retail, recreational, and entertainment business that are permitted to be open may operate after 10:00 p.m. only if they prohibit the consumption of food or beverages between 10:00 p.m. and 5:00 a.m. Regardless of the time, bars and restaurants may not seat patrons at any indoor bar area, and in-person service to patrons standing in bar areas continues to be prohibited.
EO 194 clarifies that bars and restaurants that are permitted to offer in-person service in indoor areas must ensure that tables are six feet apart in all directions from another table or seat, but where that is not possible, establishments may erect barriers between tables consistent with safety standards from the Department of Health (“DOH”), while still complying with the capacity limits of Executive Order 183 (“EO 183”) (limiting capacity for indoor dining at 25 percent of the establishment’s indoor capacity, excluding the establishment’s employees). According to the DOH’s safety standards (which can be found in full here for indoor dining and here for outdoor dining), the table barriers for indoor dining must be:
a minimum of five feet (5 ft) in height, but no higher than six feet (6 ft) in height and must not be within 18 inches of a sprinkler head or block emergency and/or fire exits. Physical barrier options include plexiglass or other non-porous dividers or partitions and comply with current requirements regarding wall finishes. Establishments must ensure that such barriers do not restrict airflow throughout the restaurant.
For outdoor dining, EO 194 allows for the use of structures, such as plastic domes, but no more than eight individuals are permitted to dine together at a time and the structure should be ventilated for a minimum of 15 minutes and cleaned and sanitized between seatings. These structures must also comply with all other applicable codes and regulations (such as the Fire Safety Code) and establishments must obtain necessary prior municipal approvals and permits.
Indoor Interstate Youth Sports Competitions
EO 194 suspends indoor interstate youth sports competitions, including those operated by schools, clubs and recreational programs. Such programs “are also prohibited from hosting indoor interstate youth sports competitions outside of New Jersey, or indoor youth sports competitions outside of New Jersey that would require New Jersey teams to travel to another state.” Under the order, an “indoor interstate youth sports competition” includes “any sports game, scrimmage, tournament, or similar competition that is conducted indoors with opposing teams or individuals from different states competing against each other and which would require an opposing team or individual to travel from a state outside of New Jersey.”
This suspension does not impact collegiate and professional sports activities, which are permitted to continue operations subject to compliance with applicable laws, regulations and Executive Orders (including the restrictions on recreational and entertaining businesses in Executive Order 157, which we wrote about here), and restrictions on gathering in place at the time the sporting activity occurs.
Personal Care Services
EO 194 clarifies that personal care services that were authorized by Executive Order 157 to reopen their indoor facilities to the public must limit occupancy of any indoor premises to 25 percent of the stated maximum capacity, if applicable, at any one time, excluding the facility’s employees.
In the introductory language of EO 196, Gov. Murphy states that “approximately 13 percent of all outbreaks in New Jersey between March 20 through November 1 can be attributed to private gatherings, consistent with the role indoor gatherings have played in leading to further spikes of COVID-19 in other states and countries.” Recognizing that is it challenging to monitor mask wearing/social distancing and to properly contact trace for informal events such as “large house parties,” EO 196 sets new, lower, limits for indoor and outdoor gatherings, with several exceptions.
Indoor gatherings are limited to 10 persons, except as follows:
- For indoor religious services or celebrations, political activities, wedding ceremonies, funerals, or memorial services, the number of attendees is limited to 25 percent of the capacity of the room in which the event takes place, but regardless of the capacity of the room, such limit shall never be larger than 150 or smaller than 10. For purposes of this provision, any private residence or residential unit shall be treated as a single “room;”
- Legislative proceedings of state, county, or local government, including local Boards of Education, and state and local judicial proceedings are not subject to the capacity limits on gatherings in EO 196 or any other applicable Executive Order; and
- The provision of Executive Order 183 governing indoor gatherings for entertainment centers where performances are viewed or given, including movie theaters, performing arts centers, and other concert venues, and provides (among other requirements) that capacity must be limited to 150 people (excluding the business’s employees) or 25% of a room’s capacity— whichever number is lower remains in effect.
EO 196 provides that indoor professional and collegiate athletic competitions are subject to the indoor gathering limit of 10 persons, excluding athletes, coaches, referees, and trainers, and other individuals necessary for the competitive professional or collegiate sporting event (essentially allowing up to 10 spectators). The number of individuals present inside facilities where indoor professional or collegiate athletic competitions are taking place may not exceed 25 percent of the capacity of the room in which it takes place, and such limit may not exceed 150 persons. Additionally, EO 196 reiterates that the provisions of Paragraph 1 of Administrative Order No. 2020-22 regarding indoor gatherings continues to apply.
All other indoor athletic practices and competitions are limited of 10 persons, unless the number of individuals who are necessary for the practice or competition, i.e, players, coaches, and referees, is greater than 10 persons. In that case, the indoor practice or competition may proceed, but no other persons, including spectators, maybe present. In addition, the number of individuals at such an indoor gathering still may not exceed 25 percent of the capacity of the room in which it takes place, and such limit may not exceed 150 persons.
The indoor gathering limits became effective at 6:00 a.m. on November 17, 2020.
EO 196 establishes a 150 person maximum for outdoor gatherings, except for religious services or celebrations, political activities, wedding ceremonies, funerals, or memorial services (which do not have a numerical limit on attendees). Outdoor entertainment centers where performances are viewed or given (including movie theaters, performing arts centers, and other concert venues), are subject to the 150-person maximum, but must also limit the number of patrons to a number that ensures that all individuals can remain six feet apart.
Professional and collegiate athletic competitions conducted outdoors are subject to the outdoor gathering limit of 150 persons, excluding athletes, coaches, referees, trainers, and other necessary individuals. All other outdoor sports practices and competitions are subject to the limit of 150 persons, inclusive of athletes, coaches, referees, and trainers. In addition, EO 196 reiterates that the provisions of Paragraph 1 of Administrative Order No. 2020-22 regarding outdoor gatherings shall continue to apply.
EO 196’s outdoor limits become effective at 6:00 a.m. on November.
Just one week after ordering new business restrictions to combat the recent surge of COVID-19, Governor Larry Hogan announced further mitigation measures in Maryland that will dial back business operations.
On November 17, 2020, Governor Hogan issued Executive Order 20-11-17-01, which amends and restates Executive Order 20-11-10-01 (which we previously summarized here). The amended order goes into effect at 5:00 p.m. on Friday, November 20, 2020.
The amended order, titled “Regulating Certain Businesses and Facilities and Generally Requiring Use of Face Coverings,” has the greatest impact on restaurants and other foodservice establishments (which now includes banquet and catering halls). In addition to reducing indoor dining to only 50% of the establishment’s maximum capacity, bars and restaurants will not be permitted to stay open for indoor dining or serve alcohol after 10:00 p.m.—although they may continue carry-out and delivery service.
In addition, racetracks, outdoor entertainment venues, and sports stadiums will be limited to 250 persons regardless of its size. Notably, the Secretary of Health no longer has the authority to grant waivers for stadium occupancy limits. Religious facilities and retail establishments may not exceed 50% of maximum occupancy, and individuals may now remove face coverings to verify their identity for bona fide security purposes. All other provisions of the prior order remain in place.
The amended order does not interfere with the more stringent restrictions in Montgomery and Prince George’s Counties. Employers operating elsewhere should determine whether their local jurisdiction has published orders more restrictive than the statewide mandate.
* * *
Epstein Becker & Green, P.C., continues to monitor developments in the DMV and throughout the country. Readers may contact the authors or their EBG attorney with any questions or needs for assistance in operational compliance or addressing any other COVID-19-related issue.
The final installment of a 10-part series featuring our video Rules of the Road: Return to Work in the Time of COVID-19.
Did COVID-19 end sexual harassment?
Did a global pandemic that sent humanity indoors, forcing many of us to work remotely (if at all) and to be socially distant while avoiding handshakes and touching obviate the need for such an obvious rule? Well, not exactly. I have been advising clients on this rule and the ripe environment for harassment claims since the pandemic began, and in candor, my position has been met with varying degrees of skepticism (yes, you can still see people rolling their eyes even if they’re not on camera.)
And then it happened. It was inevitable. And it unfolded in the most dramatic and ironic of ways.
Jeffrey Toobin. And a Zoom call. And the rest is history.
The reality is, with more of our interactions taking place via video conference from people’s homes, or through e-mail, social media, instant messaging and Slack channels, things have gotten – well – a little more personal. And people have gotten a little more casual in their interactions (and their use (or misuse) of technology) (side note: one cannot “mute” a video camera on Zoom, fyi…)
Sexual harassment in the workplace has not ended. It just went digital.
And while we await formal study and reporting by the EEOC, the early indications – both from our own practice anecdotally, and empirical data supports this view – globally. Take Australia, for example, where Victoria has reported an 8% increase in sexual harassment complaints during the pandemic amidst some of the most aggressive lockdowns in the world, illustrating that sexual harassment complaints, in the wake of #MeToo – and even in the remote environment – can still very much be “a thing.”
The EEOC Select Study on Workplace Harassment was prescient on this point, concluding that “isolated workplaces” and “decentralized workplaces” were contributing risk factors to harassment claims, particularly as bystander intervention becomes more challenging in a virtual context and may decrease the likelihood of reporting. Additionally, bodies of historical research show that gender-based violence increases during times of crisis.
Many other factors contribute to this paradigm. Chief among them: feelings of social isolation and the desire for human connection in any form; the seemingly endless workday and the blurring of work and home; the challenges the pandemic has had on domestic relationships and childcare; the digital invitation into one’s home via video calls that breaks the third-wall between an employee’s work and personal life that typically exists when the employee reports to a workplace outside the home; the lack of transparency around digital interactions; physical, psychological and economic vulnerability; and yes, the Zoom happy hours, and their ubiquitous side-chats (remember: those too are workplace events and workplace conversations). Be ever mindful of how your words, your actions, and your digital presence might impact other colleagues, both through the end of this pandemic and thereafter.
Recognizing this as a reality, nearly every state that maintains mandatory anti-harassment training requirements (CA, CT, DE, IL, ME, and NY) kept those requirements largely in place throughout the pandemic, including their respective deadlines – further underscoring the point. Companies would also be well-served to adapt their policies and procedures to take into account the virtual workplace, and to reiterate the importance of early reporting of harassment or misconduct.
It’s fair to say that we are all looking ahead with optimism – toward the distribution of a vaccine (or two), to seeing friends, family and loved ones, and to getting back to some semblance of normalcy. All of that will engender relief and exultation – and rightly so.
And when that day comes, we should celebrate. We should hug our friends. We should kiss our parents, our grandparents and our loved ones.
But when it comes to colleagues, please curb your enthusiasm – Don’t Be Creepy™.
Michigan recently announced two COVID-19 developments that will impact employers and their workplaces. Most recently, the Michigan Department of Health and Human Services (MDHHS) issued new restrictions for business operations in the state that are set to take effect on November 18 and last through December 8, 2020 (the “Three Week Pause Order”). The Three Week Pause Order followed an announcement late last week by the Michigan Occupational Safety and Health Administration (MIOSHA) of a State Emphasis Program (SEP) focused on in-door activities and venues, including office settings. The Three Week Pause Order and SEP announcements also include an important reminder to employers of the potential liabilities and penalties if they violate the State’s COVID-19 safety requirements.
Three-Week Pause Order
MDHHS has identified gatherings, and in particular indoor gatherings, as the greatest source of spread of COVID-19. Consequently, the Three Week Pause Order focuses on limiting the spread of COVID-19 by imposing restrictions on in-person business operations. Effective November 18, 2020 employers must comply with the Three Week Pause Order by, among other things, restricting capacity of indoor and outdoor gatherings at certain types of facilities or venues and entirely prohibiting in-person gatherings at others, including high schools, universities, recreational facilities and entertainment venues. An infographic showing what is “open” (with restrictions) and “not open” is available here.
The Three Week Pause Order also imposes contact tracing requirements on certain businesses and activities that are allowed to maintain reduced in-person operations. Specifically, the MDHHS requires those businesses and facilities to “maintain accurate records, including date and time of entry, names of patrons, and contact information” of individuals who enter an employer’s facility to aid with contact tracing efforts. Businesses must collect and maintain this data for 28 days, protect it as confidential to the fullest extent of the law, and furnish it to MDHHS and local health departments upon request.
Finally, the Three Week Pause Order reiterates that employers must comply with face mask usage rules, unless an exception applies. Pursuant to these rules, and with certain exceptions, an employer must prohibit gatherings of any kind unless it requires individuals in such gatherings, including employees, to wear a face mask, and denies entry or service to all persons refusing to wear face masks while gathered. Employers may not assume that someone who enters the facility without a face mask falls within one of the recognized exceptions, including those who cannot medically tolerate a face mask, but may rely on an individual’s verbal representation that they are not wearing a face mask because they fall within a specified exception.
Failure to comply with the Three Week Pause Order requirements can become a costly expense for employers. A violation can be considered a misdemeanor, punishable by imprisonment for not more than 6 months, or a fine of not more than $200.00, or both. In addition, a violation can also be punishable by a civil fine of up to $1,000 for each violation or day that a violation continues.
State Emphasis Program (SEP) for Office-Based Work
In the first week of November, MDHHS issued a summary of the impact of COVID-19 in the workplace, noting 28 reported cases of COVID-19 outbreaks in office settings and a continued increase week after week. MIOSHA followed up less than a week later by launching a SEP focused on office-based employers, reminding employers that they are required to create a policy prohibiting in-person work for employees to the extent that their work activities can feasibly be completed remotely. The SEP for office-based employers seeks to educate and obtain compliance with guidelines and rules that protect workers in office locations where community spread of COVID-19 is a risk. MIOSHA, to enhance compliance with COVID-19 safety practices, has stated that it intends to conduct inspections at workplaces with traditional office settings to review how rules are being followed. If MIOSHA inspections uncover deficiencies in the employer’s COVID-19 preparedness and response plans, it could issue the employer citations and penalties up to $7,000.
The Three Week Pause Order and SEP for office-based work should serve as important reminders to Michigan-based employers of the need to comply with COVID-19 safety practices and of the potential for significant fines and penalties for non-compliance. Michigan-based employers should review their current policies and practices, including any training materials, to ensure they are in compliance with the most up to date COVID-19 safety requirements. Epstein Becker & Green, P.C. stands ready to help employers comply with their COVID-19-related safety obligations and answer any related-questions. Please feel free to contact Adam S. Forman or your Epstein Becker & Green, P.C. attorney.
As COVID-19 cases continue to rise across the nation, the District of Columbia, Maryland, and Virginia all recently have implemented additional mitigation measures that impact business operations. Below is a summary of the key restrictions of which businesses within the DMV should be aware.
District of Columbia
The District of Columbia maintains a compilation of Phase Two Guidance to assist all businesses in reopening (or staying open) responsibly. Recently, on November 6, 2020, Mayor Muriel Bowser issued Mayor’s Order 2020-110, which modifies previous quarantine guidelines for visitors traveling to the District and for residents returning home. This modified order will impact whether and when employees may return to work after traveling outside of the DMV.
Effective immediately, the following restrictions apply:
- District residents – District residents who travel outside the DMV area – except for those traveling to perform essential work or for essential activities, such as obtaining medical care – must, upon their return, either limit daily activities and self-monitor for 14 days upon return, or limit daily activities until obtaining a COVID-19 test within 3-5 days upon return and receiving a negative PCR test result.
- Visitors to DC – Non-District residents visiting from any state or country other than a low-risk jurisdiction – except those from Maryland or Virginia, essential workers, those visiting for less than 24 hours, and, in certain circumstances, individuals traveling for a family emergency or funeral – should be tested for COVID-19 within 72 hours prior to arrival. Visitors staying in D.C. for more than 3 days should limit their activities until they obtain a second negative test result administered within 3-5 days after arrival. Visitors should not come to the District if they test positive for COVID-19 or if they were in close contact with a person with a confirmed case of COVID-19. Private institutions, including employers, hotels, hospitals, and congregate care facilities, may demand individuals produce a record of a negative COVID-19 test within 72 hours of arrival to the District before allowing visitors to enter their facilities.
- High–risk jurisdiction – D.C. has expanded its list of high-risk states to include 42 states.
On November 10, 2020, Governor Larry Hogan issued Executive Order 20-11-10-01, which amends and restates prior orders regarding reopening and the use of face coverings. Notable provisions of the order include:
- Face covering requirement – Individuals aged five (5) and older must wear a face covering (a) at work, when either interacting with others is likely or where food is prepared or packaged; (b) in most indoor locations; (c) in or on public transportation; (d) while obtaining healthcare services; (e) at an outdoor sporting or entertainment venue; or (e) any other outdoor location where physical distancing is not possible.
- Occupancy limitations – Statewide, retail establishments must limit occupancy to 75% of maximum capacity, while nearly all other establishments (foodservice, personal service, fitness centers, entertainment venues, and casinos) must limit occupancy to 50% of maximum capacity.
- Local orders – Importantly, local jurisdictions are authorized to implement requirements that are more restrictive than those in the statewide Executive Order.
Both Montgomery and Prince George’s Counties have issued their own local orders:
- Montgomery County – On November 10, 2020, Montgomery County Executive Marc Erlich issued Executive Order 122-20, which, among other things:
- extends the face covering requirement to all individuals aged two (2) and older;
- prohibits gatherings of more than 25 people at locations, including parties, receptions, parades, festivals, and fundraisers;
- limits capacity to 25% for indoor foodservice establishments, retail establishments, fitness centers, museums and art galleries, and religious facilities;
- prohibits foodservice establishments from selling alcohol after 10 p.m.; and
- requires restaurants to maintain a record of all indoor and outdoor patrons, for at least 30 days, to assist with contract tracing.
- Prince George’s County – On November 12, 2020, Prince George’s County Health Officer Ernest L. Carter issued a Directive and Order for Enhanced Consumer and Employee Safety, which, among other things:
- limits indoor gatherings to 1 person per 200 square feet, or 10 people, whichever is lower, and outdoor gatherings to 1 person per 200 square feet, or 25 people, whichever is lower;
- limits capacity of indoor restaurants to 1 patron per 200 square feet, or 25% capacity, whichever is lower; and capacity of retail establishments to 1 person per 200 square feet, or up to 50% capacity, whichever is lower;
- requires restaurants to maintain a record of all patrons for at least 30 days to assist with contact tracing, and to post signage regarding face coverings and physical distancing; and
- requires most people over the age of five (5) to wear a face mask or covering, even when outdoors, unless vigorously exercising.
On November 13, 2020, Governor Ralph Northam issued Sixth Amended Executive Order 67, which adjusts temporary restrictions and updates guidance to businesses operating within the Commonwealth of Virginia, as well as Amended Executive Order 63, which expands the requirement to wear face coverings in Virginia.
Notably, these Executive Orders, which went into effect at midnight on November 15, 2020, include the following restrictions:
- Limitations to size of gatherings – All public and private in-person gatherings (whether indoor or outdoor) must be limited to 25 people, which is a decrease from the prior cap of 250 people. Although the presence of 25 or more people in an office does not constitute a gathering, the orders place new restrictions on occupancy in various industries.
- Mandatory operating requirements for essential retail businesses – While all businesses are encouraged to comply with Virginia’s Guidelines for All Business Sectors, essential retail businesses must comply with the guidelines or close. Critically, the Virginia Department of Health will enforce violations of these guidelines as a Class One Misdemeanor.
- Restaurant/bar curfews and restrictions on alcohol sales – Restaurants, dining establishments, food courts, breweries, microbreweries, distilleries, wineries, and tasting rooms must now stop the on-site sale, consumption, and possession of alcohol after 10:00 p.m. in their facilities, and must close by midnight.
- Expansion of face covering mandate – All employees of essential retail businesses must wear a face covering whenever working in customer facing areas. In addition, the general requirement of individuals to wear face coverings when inside buildings has been expanded to apply to those aged five (5) and over.
All other requirements of Executive Orders 63 and 67 remain in place.
* * *
As COVID-19 cases spike and the situation continues to evolve, businesses should revisit their operational and safety plans to ensure they meet the specified requirements in each jurisdiction in which they operate. Operational and safety plans are now required in D.C. and Virginia, and developing a comprehensive plan is a recommended best practice.
Epstein Becker & Green, P.C., continues to monitor developments in the DMV and throughout the country. Readers may contact the authors or their EBG attorney with any questions or needs for assistance in operational compliance or addressing any other COVID-19-related issue.
As featured in #WorkforceWednesday: Voters in Arizona, Montana, New Jersey, and South Dakota approved adult recreational marijuana use. Mississippi and South Dakota also legalized medicinal marijuana. Employers should review workplace drug and testing policies and be aware they may also need to provide reasonable accommodations for medical marijuana users going forward. Read more.
On November 11, 2020, the European Data Protection Board (EDPB) issued eagerly awaited guidance for complying with the requirements of the General Data Protection Regulation (GDPR) for protecting the privacy rights of individuals in their personal data subject to potential transfer from the European Union (EU) to the United States and other countries. The guidance comes in the wake of the uncertainly following the Court of Justice’s July 16, 2020 decision in Schrems II invalidating the EU-US Privacy Shield and upholding the use of standard contractual clauses as a permissible vehicle to transfer personal data to countries outside of the European Union provided there are “effective mechanisms” in place to ensure a level of protection for the data that is “essentially equivalent” to that existing within the European Union. The Court recognized that additional safeguards may be needed to provide an adequate level of protection because the standard contractual clauses are between private parties, and do not bind governmental authorities.
The EDPB’s comprehensive guidance goes well beyond its previous post-Schrems II commentary by recommending a step-by-step roadmap that organizations subject to the GDPR should use to determine whether the particular data transfer may permissibly occur and the contractual, technical and other safeguards necessary, if any, to permit the transfer. A well-documented legal analysis of the laws in the data importer’s country potentially impacting the safeguards for the specific data to be transferred is critical. The potential use of additional contractual protections beyond that which is already provided in the standard contractual clauses and technical safeguards, such as encryption, pseudonymised data and split data processing, are featured as part of the assessment process. The EDPB has sought, therefore, to provide a detailed framework for considering safeguards that may be needed if a cross-border data transfer is to be permissible.
Reinforcing the significance of its guidance, the EDPB stated in a press release that:
The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the [European Economic Area].
The guidance is premised on the fundamental principle that the protections of the GDPR attach to and travel with the data in transit and at rest in the destination country. Thus, the transfer of data outside the EU cannot be a means to avoid the protections afforded under the GDPR. Indeed, the outcome in Schrems II invalidating the Privacy Shield because it did not provide an adequate level of protection, was motivated by the Court’s concern that the United States’ surveillance programs broadly permitted surveillance of communications in transit for the objective of obtaining foreign intelligence without guarantees for non-U.S. persons potentially impacted by those programs, including the lack of actionable legal remedies against U.S. authorities. In the context of standard contractual clauses as a potential alternative transfer vehicle to the Privacy Shield, the Court recognized that these same concerns over broad surveillance programs warranted supplemental protections to protect the data beyond the standard contractual clauses themselves.
In light of the Court’s concerns, the EDPB recommends the following steps:
Step 1: Know the destination and necessity for data transfers by use of a data map. Data exporters must know where and why the data is being transferred so that they can assess whether the transfer is adequate, relevant and necessary to the purposes for which it is being transferred.
Step 2: Verify that the transfer tool is authorized under the GDPR. In the absence of an adequacy decision pertaining to the third county, the data exporter will need to rely on the transfer tools listed in Article 46 of the GDPR, including standard contractual clauses, Binding Corporate Rules (BCRs) and ad hoc contractual clauses, for transfers that are “regular and repetitive.” The EDPB once again has emphasized that the derogations in Article 49 permit cross border transfers that are only “occasional” and “non-repetitive.”
Step 3: Assess whether the law or practice of the third country may impinge on the effectiveness of the appropriate safeguards for the transfer tools being relied on in the context of the specific transfer. The exporter should focus on legislation that may affect the level of protection for the particular type of data to be transferred (e.g., financial, personnel, health, research, child related or other sensitive data such as race, or ethnicity). The EDPB cautions that the assessment should “not rely on subjective factors such as the likelihood of public authorities’ access to your data not in line with EU standards.” The type and purpose of the data transfer must be considered in the context of legally permissible governmental access and whether that access “is limited to what is necessary and proportionate in a democratic society and whether data subjects are afforded effective redress.”
Step 4: Identify and adopt supplementary measures that are necessary to bring the level of data protection transferred up to the EU standard of essential equivalence. Possible technical safeguards may include use of pseudonymised data where the EU data exporter retains sole control over the algorithm or repository that permits reidentification. The exporter should also consider strong encryption with the cryptographic key being held solely by the EU exporter for certain use cases. Contractual clauses may provide added protections. These may include, for example, the provision for audits by the data exporter to verify if data was disclosed to public authorities and under circumstances “beyond what is necessary and proportionate in a democratic society,” as well as a contractual requirement for the data importer to provide prompt advance notice of its inability to comply with its contractual commitments and meet an “essentially equivalent level of data protection.” The data exporter may also wish to secure a promise by the data importer to review and challenge, where permissible, the legality of any order to disclose the data. The EDPB emphasizes: “You will be responsible for assessing the effectiveness [of the supplementary measures] in the context of the transfer, and in light of the third country law and the transfer tool you are relying on and you will be held accountable for the decision you take.”
Step 5: Comply with formal procedural steps under the GDPR, including consulting competent supervisory authorities as required. This consultation may be required depending on the particular transfer vehicle being relied upon.
Step 6: Evaluate as appropriate the level of protection afforded to ensure continuous vigilance of the level of protection of personal data. Following the issuance of the EDPB’s guidance, organizations should evaluate their processes for authorizing cross-border transfers, and document their considerations and decisions, using the roadmap. The assessment will need to include a legal analysis in the context of the specific type of data at issue and applicable privacy, cybersecurity and surveillance laws in the importing country. The ultimate decision as to whether to proceed with a cross border data transfer may depend on the sufficiency of the mix of contractual and technical safeguards. Any questions regarding the EDPB’s guidance may be directed to Brian Cesaratto or another member of the EBG Privacy, Cybersecurity and Data Asset Management Group
As featured in #WorkforceWednesday: California voters passed Proposition 22, which will exempt app-based transportation and delivery network companies from the state’s AB5 worker classification law. Attorneys Amy Ramsey and Kevin Sullivan tell us what this means for CA employers and the gig economy more broadly. You can read more here.