Scherzer Blog

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided  by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

February 24th, 2016|Educational Series, European Union, Guidance|

CFPB publishes annual guide about consumer reporting agencies

Every year, the Consumer Financial Protection Bureau (the “CFPB”) updates and publishes a guide to consumer reporting companies, The guide includes information in connection with requesting a consumer report from the three largest nationwide consumer reporting companies and dozens of specialty reporting companies, tips regarding specialty reports, updated information about authentication of identity when requesting a consumer report, information on companies that provide free credit scores, and rights with respect to consumer reports.

The CFPB notes that in prior years, its guide referred to consumer reporting businesses as “agencies” or “bureaus,” and that these terms can be confusing because they may imply these businesses are government entities. They are not—these companies are private-sector, for-profit entities, and in this year’s guide, the CFPB refers to them as “companies” for better clarity.

February 23rd, 2016|Educational Series|

FTC files charges against operators of alleged high school diploma mills

The Federal Trade Commission (the “FTC”) filed complaints on February 10, 2016 against two operators of online “high schools” that claim to be legitimate but allegedly are diploma mills, charging anywhere from $135 to $349 for a worthless certificate.

Complaints in both cases filed by the FTC in the U.S. District Court for the District of Arizona charge that the operators bought several website names designed to appear like legitimate online high schools and used deceptive metatags with terms such as “GED” and “GED online” to bring the bogus sites higher in search rankings. Once consumers got to the sites, messages popped up implying that the diplomas offered were equivalent to an actual high school diploma.

According to the FTC’s documents, the “courses” amounted to four untimed and unmonitored multiple-choice tests, requiring that students answer 70% of each test correctly. For some “high schools,” when students failed to meet that standard, they were redirected to the test once more, and this time, the correct answers were highlighted so that the students could change their answers.  Other “high schools” provided students with an online “study guide” that also highlighted the correct answer for students to select when taking the test.

Upon completing the tests, the FTC’s documents charge that consumers were directed to a set of menus to evaluate their “life experiences,” where selecting that he/she knows how to “balance

[a] checkbook” translates as credit for accounting coursework.  If a consumer says they “listen to music occasionally,” he/she may be given credit for a music appreciation course.

The FTC’s complaints in both cases point to numerous consumers who sought to use the diplomas to get jobs, apply for college and even join the military, only to find out that their diplomas were not recognized.

February 23rd, 2016|Fraud, Lawsuit|

Uber settles class-action for $28.5 million for misleading claims about drivers’ background checks

On February 12, 2016, Uber agreed to settle a consolidated class-action filed in the U.S. District Court for the Northern District of California (Philliben v. Uber Technologies, Inc. and Mena v. Uber Technologies, Inc.) by paying $28.5 million to approximately 25 million riders and promising to avoid using certain language in safety-related advertising, as well as the term “safe ride fee.”

In their complaint filed in 2014, the plaintiffs alleged that Uber’s claim of conducting “industry-leading background checks” for which they paid a “safe ride fee” of $1 to $2 on top of each fare, was false and misleading. According to the complaint, Uber does not and has never had an “industry-leading background check process.” To the contrary, the complaint stated that background screening by Uber does not involve fingerprint identification and, therefore, cannot ensure that the information obtained from a background check actually pertains to the driver that submitted the information. By contrast, most taxi regulators in United States require drivers to undergo criminal background screening, using fingerprint identification, and typically employing a technology called “Live Scan.”  Going forward, Uber said it will rename the “safe ride fee” as a “booking fee” which will be used to cover safety and additional future operational costs.

If the judge approves the settlement, members of the class who rode in an Uber vehicle in the United States between January 1, 2013 and January 31, 2016 will be eligible to receive a portion of the settlement.  If that pot is divided evenly among Uber’s 25 million passengers, after attorneys’ fees, each will get around $1.

Read the consolidated class-action complaint here.

February 23rd, 2016|Lawsuit|

Province of Ontario passes the Police Record Checks Reform Act

On December 1, 2015, Ontario passed the Police Record Checks Reform Act, 2015 (the “Act”) which has significant implications regarding criminal record checks. The Act establishes comprehensive standards governing the type of information that can be disclosed by police in response to record check inquiries, and is intended to remove unnecessary barriers to employment, licensing, holding office, applying to educational programs and participating in volunteer activities. Its main objective is to prevent the inappropriate disclosure of non-conviction and non-criminal records, such as information obtained from street checks or “carding,” as well as mental health information.  

Possibly the most significant requirement under the Act is that the individual must review the requested information and then consent to its disclosure. In the event that potentially inappropriate non-conviction information is included in a record, the Act provides that the individual may request a reconsideration of the disclosure. As a result, employers who conduct employment criminal record checks will now only be able to obtain the results if the applicant/employee has consented to the disclosure. 

December 22nd, 2015|Legislation|

Portland’s new ban-the-box law goes beyond Oregon’s version

Effective July 1, 2016, covered Portland businesses will be prohibited from asking job applicants about their criminal history or accessing such records until after a conditional offer has been extended. The city’s legislation goes beyond the state’s law, which beginning January 1, 2016, prohibits Oregon businesses, unless exempted, from including criminal history questions during the preliminary hiring stages, but allows the inquiries during the interview process.

Just as with Oregon’s ban-the-box law, businesses within the city of Portland are excluded from coverage when hiring for certain positions, which include law enforcement, criminal justice, and working with children, the elderly, people with disabilities, and other groups considered vulnerable.

December 22nd, 2015|Legislation|

Phony job applicants targeting employers to collect on FCRA violations

As we reported throughout the year, class-actions brought against employers under the Fair Credit Reporting Act (“FCRA”) alleging hyper-technical violations are proliferating, with several resulting in multi-million dollar settlements.

But there appears to be a new development in this area. According to a National Law Review article, phony job applicants who have no intention of being employed with the targeted companies are submitting employment applications solely to position themselves as plaintiffs in class action litigation and potentially get a windfall settlement. The National Law Review article reports that the fake applicants typically fill out an online job application (usually with companies that have nationwide operations), sign the background check authorization, and then, after receiving an offer or rejection letter send a demand letter stating that the employer’s background check disclosure form or process does not comply with the requirements imposed by the FCRA and demand huge payouts to settle their claims  and avoid the filing of a class action lawsuit.

The FCRA provides for statutory damages ranging from $100 to $1,000 per violation for non-compliance with the FCRA’s notice and disclosure requirements, even where the plaintiff has suffered no actual harm or damag

December 22nd, 2015|FCRA, Lawsuit|

New US-EU Safe Harbor agreement may be around the corner

Various sources report that US and EU representatives met on December 17, 2015 to hash out an agreement that would replace the recently invalidated Safe Harbor privacy framework. The two governments aim to have a replacement framework in place by January, says EU Justice Commissioner Vera Jourová. One of the main goals of the new program is to allow EU citizens’ grievances to be filed directly with their national privacy regulator.

As reported in our client alert and blogs, in October 2015, judges from the European Court of Justice issued a judgment striking down a 15-year old agreement, known as the Safe Harbor framework, which allowed US and European organizations to freely move personal data between the two regions as long as the US ensured an adequate level of data protection at the company and certified that it would abide by the seven EU data privacy principles regarding notice, choice, onward transfer, security, data integrity, access, and enforcement.  The invalidation ruling impacted nearly 4,000 businesses that relied on the Safe Harbor framework to transfer data between the US and Europe and requires all businesses to revaluate their compliance with European data privacy and security standards.

December 22nd, 2015|European Union, Legislation|

NYC Commission issues legal enforcement guidance on employment credit checks

The New York City Commission recently issued interpretive legal enforcement guidance clarifying some of the exemptions in the City’s Stop Credit Discrimination in Employment Act (“SCDEA”), as well as recordkeeping requirements and penalties.

As we reported previously, effective September 3, 2015, the SCDEA amends the New York City Human Rights Law (the “NYCHRL”) to make requesting and using consumer credit history for hiring and other employment purposes, with certain exceptions, an unlawful discriminatory practice.

The SCDEA defines “consumer credit history” as an individual’s “credit worthiness, credit standing, credit capacity, or payment history, as indicated by: (a) a consumer credit report; (b) credit score; or (c) information an employer obtains directly from the individual regarding details about (1) credit accounts, including the individual’s number of credit accounts, late or missed payments, charged-off debts, items in collections, credit limit, prior credit report inquiries, or (2) bankruptcies, judgments or liens.”

It remains unclear whether the law bans only inquiries, but not public record searches, for bankruptcies, judgments or liens. Under the SCDEA, a consumer credit report includes “any written or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history,” and given the broad scope of “any  written or other communication of any information by a consumer reporting agency” caution should be taken regarding these searches and even for civil litigation, as such public records may reveal credit-related information that New York City employers are prohibited from using.

While the SCDEA generally establishes eight categories of exemptions, such as those of individuals required to be bonded under city, state, or federal law which are self-explanatory, there has been much speculation as to the scope of others. In its FAQs, the guidance specifically provides that the exemptions do not cover most low-level employees including, but not limited to, bank tellers, cashiers, salespeople, clerical workers, administrative staff, restaurant/bar workers, and private security employees.

Interpretation about non-clerical positions having regular access to trade secrets is also included in the guidance. The SCDEA defines “trade secrets” as “information that: (a) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means, by other persons who can obtain economic value from its disclosure or use; (b) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy; and (c) can reasonably be said to be the end product of significant innovation.”

The SCDEA limits the trade secret definition to exclude “general proprietary company information such as handbooks and policies” and “access to or the use of client, customer, or mailing lists.” Consistent with this definition and the broad scope of the NYCHRL, “trade secrets” do not include information such as recipes, formulas, customer lists, processes, and other information regularly collected in the course of business or regularly used by entry-level and non-salaried employees and supervisors or managers of such employees.

The guidance emphasizes that all exemptions to coverage under the SCDEA’s anti-discrimination provisions are to be construed narrowly. Employers may claim an exemption to defend against liability, but they have the burden of proving the exemption by a preponderance of the evidence. No exemption applies to an entire employer or industry–exemptions apply only to positions or roles, and not to individual applicants or employees. The law does permits employers to request credit information in response to any lawful subpoena, court order, or law enforcement investigation.

An employer claiming an exemption must show that the position or role falls under one of the eight  general position categories referenced previously. Employers availing themselves of the exemptions should inform applicants or employees of the claimed exemption, and should also keep a record of their use of such exemptions for a period of five years from the date an exemption is used. Keeping an exemption log will help the employer respond to the Commission’s requests for information.

The guidance sets forth civil penalties for violations of the law (up to $250,000 for willful, wanton, or malicious violations, and up to $125,000 for other violations) in addition to other remedies available under the NYCHRL.

Read the SCDEA, N.Y.C. Admin. Code §§ 8-102(29), 8-107(9)(d), (24); Local Law No. 37 (2015)

Access the interpretive guidance, FAQs and other information about the credit check law here.

 

September 23rd, 2015|Legislation|

FTC launches new resource for identity theft victims

The FTC has launched IdentityTheft.gov, a new resource that makes it easier for identity theft victims to report and recover from the crime. A Spanish version of the site is available at RobodeIdentidad.gov.

The new website provides an interactive checklist that explains the recovery process and helps victims understand the steps that should be taken upon learning that their identity has been stolen. It also provides sample letters and other helpful resources. In addition, the site offers specialized tips for specific forms of identity theft, including medical and tax-related, and contains advice for people who have been notified that their personal information was exposed in a data breach.

Identity theft has been the top consumer complaint reported to the FTC for the past 15 years, and in 2014, the Commission received more than 330,000 complaints from consumers who were victims.

June 12th, 2015|Educational Series|
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top