Search right to access

Cities step up their efforts to combat the COVID-19 Delta variant. New York City, New Orleans, and San Francisco have all announced requirements for certain persons to produce evidence of COVID vaccination status in order to patronize or work indoors at certain establishments. Adding to an already complex patchwork of COVID-related regulation – screening, social distancing, contact tracing, paid-time off, record keeping, etc. – certain businesses will need to absorb another layer. But while doing so, they should avoid creating new data privacy and security risks.

In general, each of the cities requires businesses in certain industries such as food services (restaurants, bars), fitness, and entertainment (hotels, casinos, music halls) to require employees, patrons, customers, contractors, and others to provide proof of vaccination to go indoors at these establishments. In some cases, proof is required even for certain outdoor activities. For example, in New Orleans, the requirement applies to outdoor events of more than 500 people if total attendance is more than 50% of the outdoor venue’s capacity.

There are several exceptions to these requirements. For example:

  • Persons under 12 do not have to provide proof of vaccination.
  • In New Orleans, a negative PCR test within 72 hours of access can be provided in lieu of vaccination proof. This is not permitted in San Francisco, which requires proof of full vaccination. See FAQs for COVID-19 Health Order C19-07y. NYC requires proof of at least one dose of the COVID-19 vaccination.
  • San Francisco businesses may allow patrons wearing a well-fitted mask to use a restroom indoors without vaccination verification. There is a similar exception in NYC.
  • If an individual in NYC is unable to show proof of vaccination due to a disability, the business must engage in a cooperative dialogue to see if a reasonable accommodation is possible. Reasonable accommodation is not required if the individual would create a direct threat to other customers or employees, or impose an undue hardship on the business. A similar approach is required for employees.

A significant issue for covered businesses, however, is whether they must collect any additional information in order to comply, and how should that information be safeguarded, retained, and/or disclosed, as necessary. Businesses will want to have sufficient proof that they have complied to avoid an enforcement action. In New York City, when enforcement begins on September 13, 2021, noncompliant establishments may be subject to a fine of $1,000, or more for repeated violations. But this does not mean they need to collect sensitive personal information.

The cities provide several ways for individuals to communicate proof of COVID vaccination.

  • In New Orleans, individuals can use the LA Wallet app; an original, digital photograph, or photocopy of CDC vaccination cards (both sides); or an official vaccine record issued by another state, foreign nation or the World Health Organization.
  • In San Francisco, one can show their CDC Vaccination Record Card (CRC), an image of the card saved to one’s smartphones, a digital COVID-19 vaccine record issued by the State of California, or an approved private app.
  • In NYC, any of the following could be a Key to NYC: one’s CDC vaccination card, the NYC COVID Safe App, the New York State Excelsior App, and official vaccine record, or a photo or hard copy of an official vaccination record of a vaccine administered outside the U.S.

In NYC, businesses also must check the ID of each person required to show proof of vaccination who appears to be 18 or older to confirm the individual is the same person as listed on the proof of vaccination. The ID must contain either the person’s name and picture, or name and date of birth. However, ID checks are not required for individuals that can be matched against information the business already maintains, such as employees.

Do I need to check other identification besides proof of vaccination?

Yes. Identification bearing the same identifying information as the proof of vaccination must also be displayed. (underline added)

See NYC’s Key to NYC FAQs. San Francisco has a similar requirement. See San Francisco FAQs (“Businesses subject to this new requirement must cross-check proof of vaccination against each patron’s photo identification.”)

Some of these methods raise privacy and data security issues for individuals, especially for those choosing to use apps. Pennsylvania is just one state reeling from a data breach involving a COVID app that exposed medical information of thousands of its citizens. But there are significant questions for businesses – what information do they have to collect, if any, and what steps should they take to process and safeguard that information.

NYC’s Key to NYC FAQs provides:

Who must display proof of vaccination?

Employees, patrons, interns, contractors, and volunteers at Key to NYC establishments must display proof of vaccination. Businesses may keep a record of people who have previously provided proof of vaccination, rather than require the proof be displayed every time the person enters the establishment. (underline added)…

What documents do I need to maintain?

You must have a written record that describes how you will verify proof of vaccination for staff and patrons. The record must be on site and available for inspection.

Based on the above, covered NYC businesses are not required to collect information from individuals about their vaccination status. They only need to document how they will verify proof. (NYC provides a sample written protocol) The guidance suggests, however, that businesses could maintain a record of persons who already confirmed vaccination status for ease of administration. But, doing so arguably would create confidential personal information.

New Orleans and San Francisco also do not require businesses to collect proof of vaccination information, although businesses in San Francisco should assess whether the California Consumer Privacy Act (CCPA), as amended, applies and whether additional compliance measures should be implemented.

So, the good news is that while there are some additional compliance requirements in these cities concerning COVID, covered businesses should not have to collect personal information from customers or employees in most cases to meet these requirements. When implementing these measures, businesses should consider advising employees to avoid collecting personal information. Of course, in cases where an employee or patron seeks a reasonable accommodation, the business may need additional information to process that request. In that case, there should be procedures in place to minimize the information needed, to safeguard what is collected, and to limit disclosure of what is retained.

URL

Facial recognition technology has become increasingly popular in recent years in the employment and consumer space (e.g. employee access, passport check-in systems, payments on smartphones), and in particular during the COVID-19 pandemic. As the need arose to screen persons entering a facility for symptoms of the virus, including temperature, thermal cameras, kiosks, and other devices with embedded with facial recognition capabilities were put into use. However, many have objected to the use of this technology in its current form, citing problems with the accuracy of the technology, and now, more alarmingly, there is growing concern that “Faces are the Next Target for Fraudsters” as summarized by a recently article in the Wall Street Journal (“WSJ”).

In the last year, there has been an uptick in hackers trying to “trick” facial recognition technology, in a myriad of settings, such as fraudulently claiming unemployment benefits from state workforce agencies, The majority of states are now using facial recognition technology as a way to verify to eligible citizens, ironically enough, in order to prevent other types of fraud. As discussed in the WSJ article, the firm ID.me.Inc. which provides facial recognition software for 26 states to help verify individuals eligible for unemployment benefits has seen between June 2020 – January 2021 over 80,000 attempts to fool government identification facial recognition systems.  Hackers of facial recognition systems use a myriad of techniques including deepfakes (AI generated images), special masks, or even holding up images or videos of the individual the hacker is looking to impersonate.

Fraud is not the only concern with facial recognition technology.  Despite its appeal for employers and organizations, there are concerns regarding the accuracy of the technology, as well as significant legal implications to consider.  First, there are growing concerns regarding accuracy and biases of the technology.  A recent report by the National Institute of Standards and Technology studied 189 facial recognition algorithms which is considered the “majority of the industry”.  The report found that most of the algorithms exhibit bias, falsely identifying Asian and Black faces 10 to beyond 100 times more than White faces.  Moreover, false positives are significantly more common in woman than men, and more elevated in elderly and children, than middle-aged adults.

In addition, several U.S. localities have already banned the use of facial recognition for law enforcement, other government agencies, and/or private and commercial use.  The City of Baltimore, for example, recently banned the use of facial recognition technologies by city residents, businesses, and most of the city government (excluding the city police department) until December 2022.  Council Bill 21-0001  prohibits persons from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology.” Likewise in September of 2020 the City of Portland in Oregon became the first city in the United States to ban the use of facial recognition technologies in the private sector citing, among other things, a lack of standards for the technology and wide ranges in accuracy and error rates that differ by race and gender. Failure to comply can be painful. The Ordinance provides persons injured by a material violation a cause of action for damages or $1,000 per day for each day of violation, whichever is greater.

And finally, companies looking to implement facial recognition technologies, must consider their obligations under laws such as the Illinois’ Biometric Information Privacy Act (BIPA) and the California Consumer Privacy Act (CCPA). The BIPA addresses a business’s collection of biometric data from both customers and employees including for example facial recognition, finger prints, and voice prints.  The BIPA requires informed consent prior to collection of biometric data, mandates protection obligations and retention guidelines, and creates a private right of action for individuals aggrieved by BIPA violations which has resulted in a flood of BIPA class action litigation in recent years.  Texas, Washington and California also have similar requirements, New York is considering a BIPA-like privacy bill and NYC recently created BIPA-like requirements for retail, hospitality businesses concerning biometric collection from customers. Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2020 amendments in California, D.C., and Vermont. Moreover, there are a myriad of data destruction, reasonable safeguards, and vendor requirements to consider, depending on the state, when collecting biometric data.

Takeaway

Facial recognition and other biometric data related technology is booming, and continues to infiltrate different facets of life that are hard to even contemplate. The technology brings innumerable potential benefits as well as significant data privacy and cybersecurity risks. Organizations that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust privacy and data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

Colorado is officially the third U.S. state to enact comprehensive privacy legislation, following California and Virginia. The Colorado General Assembly passed the Colorado Privacy Act (CPA), Senate Bill 21-109, on June 8, 2021, and Governor Jared Polis signed it into law on July 7, 2021.

The Colorado Privacy Act takes effect July 1, 2023, six months after the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Rights Act (CPRA).

Applicability

The CPA provides new obligations on Controllers—that is, any entity that (i) determines the purposes and means of processing personal data, (ii) conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of the state, and (iii) either:  (a) controls or processes the personal data of more than 100,000 Colorado residents per year or (b) derives revenue from selling the personal data of more than 25,000 Colorado residents.

It also provides new rights to Consumers—or, any individual who is a Colorado resident acting in an individual or household context.

The CPA does not apply to data that is subject to other federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), and the Securities Exchange Act of 1934. The CPA also exempts employment data, higher education institutions, nonprofits, state and local governments, and public utility customer records (so long as they are not sold).

Consumer Rights under the Colorado Privacy Act

The rights the CPA affords to Consumers are similar to those in the VCDPA and CCPA/CPRA.

In broad strokes, the CPA regulates the use of and disclosures surrounding “personal data,” which includes information that is linked, or reasonably linkable, to an identifiable person, and “sensitive data,” which includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition, sexual orientation, citizenship, genetic or biometric data, or personal data from a known child.

The CPA empowers Consumers with new controls over their data, including the right to:

  1. opt out of the processing of certain personal data;
  2. access personal data (up to twice per calendar year);
  3. correct inaccurate data;
  4. delete personal data; and
  5. data portability.

Controller Duties under the Colorado Privacy Act

Similarly, the CPA creates duties for Controllers, including the:

  • Duty of transparency;
  • Duty of purpose specification;
  • Duty of data minimization;
  • Duty to avoid secondary use;
  • Duty to avoid unlawful discrimination; and
  • Duty regarding sensitive data.

In addition, while Consumers may request access to their personal data, Controllers may not require that a Consumer create a new account in order to exercise this right (or retaliate with increased cost or decreased availability of a product or service ).  When responding to Consumer data requests, Controllers must:

  • Take action on the Consumer’s request without undue delay and within 45 days of receiving the request—with few exceptions.
  • Develop an internal process for Consumers to appeal refusals of data requests.
  • Notify the Consumer that it may contact the Colorado Attorney General if the Consumer has concerns about the result of the response and outcome of appeal.

Controllers must also conduct data protection assessments for each processing activity involving a heightened risk of harm to Consumers, including:

  • The sale of personal data;
  • Processing of sensitive data; or
  • Processing personal data for targeted advertising if it could lead to unfair or deceptive treatment or have a disparate impact on Consumers, financial or physical injury, physical or other intrusion upon seclusion, or other substantial injury

Controllers must present these data protection assessments to the CO Attorney General upon request.

Enforcement

One key difference between the CPA and California and Virginia privacy laws is that the CPA is enforceable by both the district attorney and office of the attorney general. This broadened enforcement mechanism could lead to greater scrutiny of affected businesses.

Unlike the CCPA, the CPA does not include a private right of action. The attorney general or district attorney may, however, institute a civil action or pursue injunctive relief. Failure to comply with the CPA may be considered a deceptive trade practice. Financial penalties are left to the discretion of the courts.

Key Takeaways

Colorado may be only the third state to enact comprehensive privacy legislation, but other states will likely be soon to follow. Differences between the CPA, VCDPA, and CPRA are subtle, and there are plenty of technical details to sift through. While this may ease the burden of compliance, companies still need to ensure their data collection activities fully comply with the provisions of each privacy act.

And with more states likely to follow suit, data privacy compliance will only get more complicated.

Please contact a Jackson Lewis attorney with any questions.

* Jackson Biesecker is a law clerk in our Privacy, Data & Cybersecurity Practice Group that contributed substantially to this article.

 

 

Globalization, compliance, and the growth in outsourcing have created a myriad of cross-border data transfer scenarios. These scenarios include marketing to and servicing customers, assessing global compliance with diversity and including goals, and outsourcing back office business functions. However, the emergence of far reaching data privacy regulation, such as the EU General Data Protection Regulation (“GDPR”), has erected roadblocks to the free flow of personal data, particularly from the European Economic Area (“EEA”) to countries without an EU adequacy decision, including the United States. Standard Contractual Clauses (“SCCs”) are one way to navigate the roadblocks, but the SCCs are not as simple as circulating a form agreement.

The recent Schrems II decision further complicated the flow of information when it invalidated the EU-U.S. Privacy Shield, and the original SCCs were unable to adequately address the EU Commission’s concerns about the protection of personal data. However, SCCs have played an increased role as an appropriate safeguard for transferring personal data. For U.S. companies sending or receiving personal data from the EEA, these new clauses will help accommodate an expanded set of transfer arrangements including processor to processor and processor to controller. Among other changes, the new SCCs address the data importer’s duties in situations where applicable laws affect its ability to comply with the SCCs, an issue raised in the Schrems II decision.

In short, the new SCCs are contractual terms adopted in part by the EU Commission to facilitate the transfer of personal data post-Schrems II. The SCCs are designed to ensure a non-GDPR importer has implemented appropriate safeguards to protect the data, and that data subjects have enforceable rights and effective legal remedies. The FAQs below summarize the new SCCs.

  1. What are the “new” SCCs?

On June 4, 2021, the EU Commission adopted “new” modernized SCCs to replace the 2001, 2004 and 2010 SCCs currently in use.

  1. How are the new SCCs different?

The EU Commission updated the SCCs to address more complex processing activities, the requirements of the GDPR, and the Schrems II decision. These clauses are modular so they can be tailored to the type of transfer.

  1. What types of data transfers are subject to the new SCCs?

The original SCCs apply to controller-controller and controller-processor transfers of personal data from the EU to countries without a Commission adequacy decision. The updated clauses are expanded to also include processor-processor and processor-controller transfers.

  1. Can multiple parties execute the SCCs?

Yes. While the existing SCCs were designed for two parties, the new clauses can be executed by multiple parties. The clauses also include a “docking clause” so that new parties can be added to the SCCs throughout the life of the contract.

  1. What obligations does a data importer have?

The obligations of the data importer are numerous and include, without limitation:

  • documenting the processing activities it performs on the transferred data,
  • notifying the data exporter if it is unable to comply with the SCCs,
  • returning or securely destroying the transferred data at the end of the contract,
  • applying additional safeguards to “sensitive data,”
  • adhering to purpose limitation, accuracy, minimization, retention, and destruction requirements,
  • notifying the exporter and data subject if it receives a legally binding request from a public authority to access the transferred data, if permitted, and
  • challenging a public authority access request if it reasonably believes the request is unlawful.
  1. Do the new SCCs require a risk assessment?

Yes. The SCCs require the data exporter to warrant there is no reason to believe local laws will prevent the importer from complying with its obligations under the SCCs. In order to make this representation, both parties must conduct and document a risk assessment of the proposed transfer.

  1. What does the risk assessment require?

The parties should review the facts and circumstances of the transfer (e.g., the nature of the data, duration of transfer, purpose for processing, storage location of the data, intended onward transfers), the relevant laws and practices of the importer’s jurisdiction, the existence or absence of public authority requests for access to the data in the importer’s jurisdiction, and any reasonable safeguards designed to supplement the protections of the SCCs. This documented assessment must be completed before fully executing the SCCs and it must be made available to the Supervisory Authority on request.

  1. Are the new SCCs negotiable?

No. The new SCCs cannot be negotiated, amended, or edited. However, additional terms can be included as long as they do not contradict or conflict with the underlying SCCs or the data subject’s privacy rights. Of course, those additional terms may be negotiated. It will also be important to consider what effect the new SCCs have on existing service agreement terms and conditions.

  1. What are the SCCs Annexes?

The SCCs include an Appendix with three Annexes for the parties to complete: Description of Transfer, Security Measures, and Sub-processors. These Annexes require detailed information about the transfer, particularly with respect to technical and organizational measures the importer will use to safeguard the data.

  1. Do the new SCCs apply to U.S. organizations that are not subject to the GDPR?

Yes, if a data exporter transfers data from the EU to a U.S. organization, the U.S. organization must execute the new SCCs unless the parties rely on an alternate transfer mechanism or an exception exists. This applies regardless of whether the U.S. company receives or accesses the data as a data controller or processor.

  1. When would a U.S. organization use the new SCCs to transfer or receive personal data from the EU?

A U.S. organization that is subject to the GDPR based on an “establishment” in the EU may transfer data from the EU to a data importer in the U.S. (or other country without an EU adequacy decision) in reliance on the SCCs unless the importer is also subject to the GDPR, the parties rely on an alternate transfer mechanism, or an exception applies. For example, assume the U.S. organization’s EU office transfers customer personal data to a third-party billing vendor located in the U.S. or transfers employee data to a compensation consultant in the U.S. In this case, if the vendor is not subject to the GDPR, the U.S. organization can enter into SCCs with that vendor to meet its obligations under the GDPR with regard to that transfer.

Perhaps a U.S. organization is not established in the EU but is subject to the GDPR because it offers goods or services to data subjects located in the EU or monitors their behavior in the EU. This organization may need to transfer the personal data of its EU customers to a third-party shipping vendor located in the U.S. It may transfer such data in reliance on the SCCs, unless the importer (the shipping vendor) is subject to the GDPR, the parties rely on an alternate transfer mechanism, or an exception applies.

Even in cases where a U.S. organization is not subject to the GDPR, but receives personal data in the U.S. from the EU or accesses personal data stored in the EU from the U.S., it must execute SCCs with the data exporter unless the parties rely on an alternate transfer mechanism or an exception exists. This applies regardless of whether the U.S. company is receiving or accessing the data as a data controller or data processor. For example, where a U.S. organization receives personal data as a controller for its own processing purposes (e.g., a U.S. ), the parties can execute controller – controller SCCs. Alternatively, if the U.S. organization receives personal data as a processor for the data exporter’s processing purposes (e.g., a U.S. marketing company receives customer personal data from an EU retailer), the parties can execute controller – processor SCCs.

In circumstances where a U.S. organization is not subject to the GDPR, but receives personal data from the EU as a processor and transfers that data to a sub-contractor or sub-processor in the U.S. (i.e., an onward transfer), the parties can execute processor – processor SCCs. For example, this may apply where a U.S. company provides fulfillment services to the data exporter and subcontracts shipping services to a third-party.

  1. Do the new SCCs give rights to individuals whose personal data is being transferred?

Yes. Individuals whose personal data is being transferred from the EU (i.e., data subjects) are third party beneficiaries of the SCCs and can invoke and enforce the SCCs against both the data exporter and importer.

  1. Does executing the new SCCs subject a U.S. company to EU jurisdiction?

With the exception of processor-controller transfers, the SCCs will be governed by an EU member state law that recognizes third party beneficiary rights and disputes arising from the clauses will be resolved in the courts of that member state. In addition, the importer must submit to the jurisdiction of the applicable Supervisory Authority and EU member state courts; commit to abide by any binding decision under the member state law; agree to respond to inquiries and submit to audits; and comply with remedial and compensatory measures adopted by the Supervisory Authority. In the case of a processor-controller transfer, the parties shall select the law of the country that will govern; however, that law must allow for third party beneficiary rights.

  1. What is the operative date of the new SCCs?

The 2001, 2004 and 2010 SCCs are repealed, effective September 27, 2021. New transfers made after September 27, 2021 must use the new SSCs.

  1. Should an organization replace the SSCs its currently using for ongoing transfers of personal data from the EU?

Yes, but there is a grace period. Organizations currently using the original SCCs for ongoing transfers must replace them with the new clauses by December 27, 2022. During the grace period, the parties must ensure the ongoing transfer is subject to appropriate safeguards.

  1. Should organizations replace SSCs that were used for a completed, one-time transfer of personal data from the EU?

Maybe. If the transfer of data from the EU to the U.S. has been completed, but the data importer continues to process the personal data, the parties must replace the original SCCs with the new clauses by December 27, 2022.

  1. Do the new SCCs impact GDPR data processing agreements?

Yes. The new SCCs may be used in lieu of a GDPR data processing agreement between a controller and processor or processor and processor during a transfer, thus eliminating the need for both a data processing agreement and SCCs. The new SCCs include the Article 28 provisions typically included in a GDPR data processing agreement.

  1. Do the new SSCs apply to transfers of personal data from the U.K. to the U.S.?

No. The original SCCs will continue to apply to U.K. – U.S. transfers of personal data until the U.K. recognizes the EU Commission’s new SCCs or adopts its own version.

  1. What steps should U.S. organizations take to prepare for the new SCCs?

Preparing for the new SCCs will require a commitment of time and resources. U.S. organizations that plan to transfer, receive, or access personal data from or in the EU after September 27, 2021 should consider the following steps well in advance of the SCC’s operative date:

  • Identifying ongoing transfers that will need to be updated and reviewing completed transfers to determine whether processing on the data is ongoing.
  • Implementing a process to conduct documented risk assessments prior to a transfer that includes
  • Reviewing transfer facts.
  • Identifying applicable national and local laws and practices.
  • Assessing the potential for public authority access to, or requests to access, transferred data.
  • Determining whether the organization previously received public authority access, or requests to access.
  • Identifying additional available reasonable safeguards for the transfer.
  • Developing internal policies for handling data transferred from the EU to ensure compliance with purpose limitations, storage and retention requirements, data minimization, data destruction and confidentiality obligations.
  • Training employees to identify cross border transfers of EU data that may be subject to the GDPR and SCCs including client, consumer, and HR data.
  • Reviewing the organization’s technical and organizational safeguards to ensure adequate protection of EU data during transmission and storage.
  • Determining whether data transferred or received from the EU will be transferred onward to a third party or vendor and reviewing vendor and third-party contracts to ensure the recipient will be contractually obligated to implement reasonable safeguards.
  • Reviewing and updating the organization’s data breach response plan to address the data transferred or received from the EU.
  • Reviewing and updating the organization’s business continuity plan to ensure the availability of data transferred or received from the EU.
  • Reviewing existing transfers to ensure adequate safeguards are in place.

September 27, 2021 is not far away. Most U.S. organizations will need to move quickly to identify new cross border data transfers commencing after that date and be prepared to implement the new procedures and documents for the SCCs. This is, of course, if they are not relying on an alternate transfer mechanism or an exception exists. Organizations will also need to review any ongoing transfers made in reliance on the old SCCs and take steps to comply. As with new transfers, this will require a documented risk assessment and a comprehensive understanding of the organization’s process for accessing and transferring personal data protected under GDPR.

By now, plan fiduciaries and their service providers likely have heard about the DOL’s cybersecurity guidance. The Department of Labor’s stepping into cybersecurity in this way – a posting of best practices on the agency’s website – has left plan fiduciaries with some questions. Here are a few:

  • “When is this effective?”
  • “Does this apply to me?”
  • “Could I be liable if a service provider has a data breach?”
  • “We are halfway through the term of our services agreement with our recordkeeper, do we need to do something now?”
  • “This is IT’s problem, right?”
  • “What exactly do we have to do to be ‘prudent’?”
  • “Do we have to communicate anything to plan participants?”
  • “If our service provider had a data breach, do we have to terminate the relationship?” “What factors should we considering in making that decision?”

So, what are plan fiduciaries actually thinking? Fortunately, we’ve been able to obtain snippets of conversations between plan fiduciaries that may provide some insight into that question. Here is our first installment, and, of course, we redacted the text to protect the privacy of the individuals.

Retirement Plan Committee Chair: So, what did you think of your first retirement plan committee meeting?

New Committee Member: Well it sounds like it will be really interesting…though, I’m a little bit nervous about the personal responsibility part and I’m not much of a technology person. I keep hearing about these breaches in the news, ransomware, you know, and I was one of the people on the gas line due to the Colonial Pipeline incident.

Retirement Plan Committee Chair: I know what you mean. During the time we were out of the office for COVID, if it weren’t for my 13-year-old, I don’t think I would have been able to get onto any conference calls! But I think we have a good team and good procedures. There is a fiduciary training coming up and I believe they will cover this.

New Committee Member: Yea, that will be good. I am not sure I know all the service providers we have for the plans. We spoke a lot about the 401(k) plan’s recordkeeper tonight, are there others?

Retirement Plan Committee Chair: That is a good question. We definitely will need to identify all of our service providers, particularly those handling plan data. I know we have an auditor, and then there is our investment advisory firm…

New Committee Member (interrupting): …and what about the financial wellness vendor?

Retirement Plan Committee Chair: Yes, them too. Well, we should probably regroup after the training and come up with a plan. I have to run, see you next week.

New Committee Member:  OK, bye.

It looks like this organization takes its retirement plan administration seriously and has some thoughtful people on the team. Retirement committees generally are not required under ERISA but they can be a valuable tool for organizing the administrative responsibilities of an employee benefit plan.

Getting more educated on “cybersecurity” is a good initial step for a committee or plan fiduciaries generally. Done right, training will help fiduciaries better understand the threats and vulnerabilities to data generally (not just from criminal hackers) and gain more insight into the DOL’s best practices. Such training also can help plan fiduciaries (and personnel on virtually all levels of plan administration) appreciate more of the ways data may be accessed or transmitted in the course of operating a plan. Looking at plan operations from that perspective, where data lives and how it moves, can help plan fiduciaries identify the service providers they need to be thinking about.

Perhaps the most important nugget from the exchange above for addressing the DOL’s guidance is from the Retirement Plan Committee Chair – come up with a plan!

On May 13th, New York State Senator Kevin Thomas, Chair of NY’s Consumer Protection Committee, reintroduced the New York Privacy Act (“NYPA”), a comprehensive consumer privacy law similar in kind to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“CDPA”).  The NYPA had been introduced in a previous legislative session back in 2019, but failed to move forward in the legislative process.

This version of the NYPA is in some respects less ambitious than the prior version.  For example, the latest version removed the bill’s broad application to any “legal entities that conduct business in New York” or that produce products or services that “intentionally target” New York residents, which would have meant that small-to-medium size businesses, and potentially even not-for-profits, would have been subject to the law. Nevertheless the NYPA surpasses the CCPA and CDPA in some important respects, including by requiring data controllers to:

  • collect opt-in consent from consumers before processing their personal data for any purpose;
  • provide detailed disclosures about the activities of outside parties to whom they disclose personal data;
  • respond to consumer requests to correct personal data; and
  • make disclosures about their automated decision-making activities, afford consumers the opportunity to challenge automated decisions, and conduct and publish assessments on the impacts of their automated decision-making processes.

The NYPA would also impose on data controllers duties of loyalty and care – the latter of which would require an annual risk assessment of all of the data controller’s data processing activities – and take direct aim at targeted advertising and data sales, declaring that these activities “shall not be considered processing purposes that are necessary to provide services or goods requested by a consumer.”

“Consumers should have a right to choose if and how their personal information is collected and used by companies,” said Senator Thomas in his reintroduction of the NYPA. “And New Yorkers deserve to know that businesses who are collecting, processing and protecting their personally identifiable information are doing so ethically and responsibly. The New York Privacy Act will set new, groundbreaking standards for comprehensive privacy legislation by advancing consumer privacy rights and creating stronger industry standards that empower businesses to enhance consumer confidence by putting privacy and security front-and-center.”

Below is a rundown of the NYPA’s key components:

  • Application: The NYPA would apply to legal persons that conduct business in New York State or produce products or services intentionally targeted to residents in New York State and that satisfy at least one of the following thresholds:
    • have annual gross revenue of $25M or more;
    • control or process personal data of at least 100,000 New York residents;
    • control or process personal data of at least 500,000 persons nationwide, at least 10,000 of whom are New York residents; or
    • derives over 50% of its gross revenue from the sale of personal data, and controls or processes personal data of at least 25,000 New York residents.
    • Exempt: Exempted from the NYPA are state and local governments, and personal data that is regulated by HIPAA, HITECH, FERPA, DPPA, GLBA and notably, “data sets maintained for employment records purposes, for purposes other than sale”.
  • Personal Data: Similar to the CCPA and CDPA, the NYPA defines personal data broadly to include “any data that is identified or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device”. That said, unlike the CPRA,  CDPA or GDPR, the New York bill does not include a category for “sensitive data” to which heightened protections apply.
  • Consumer: The NYPA defines “consumer” as “a natural person who is a resident of New York acting only in an individual or household context.” The NYPA states that the definition of consumer does not include a “natural person acting in a commercial or employment context.”
  • Consumer Rights: The NYPA provides consumers a broad set of rights over their personal data, including the rights to:
    • receive clear notice of how their data is being used, processed and shared;
    • provide or withhold consent for the processing of their data for any purpose;
    • access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services;
    • correct inaccuracies in their data;
    • delete their data; and
    • challenge certain automated decisions.
  • Notice to Consumers: Under the NYPA, data controllers must provide written notice to consumers when processing their personal data in an “easy-to-understand language at an eighth-grade reading level or below.” This notice must include a description of the consumers’ rights, the categories of personal data processed, the sources of that data, the purposes for which the data is processed, and the identities of all outside parties to whom the data is disclosed, as well as information about how those parties will use the data and how long they will retain it. The notice must be dated with its effective date and updated at least annually. The notice (as well as each version of the notice dating back six years) must be made readily available to consumers
  • Non-Discrimination: The NYPA prohibits discrimination against a consumer who exercises their rights under the law. For example, a business may not target the consumer by denying goods or services or charging a higher price.
  • Data Broker Registry: The NYPA requires data brokers to register, pay an annual fee to the Attorney General, and submit information regarding their data use practices and contact information. The Attorney General must maintain a data broker registry on its website. Additionally, controllers must annually submit a list of all known data brokers or persons reasonably believed to be data brokers with whom the controller provided personal data in the preceding year and can only share personal data with data brokers that are properly registered.
  • Data Security: At least annually, under the NYPA, data controllers are required to conduct and document risk assessments of all current processing of personal data. In addition, data controllers must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal data of consumers including adopting reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data at issue. The NYPA also imposes requirements related to data retention, data disposal and vendor management.
  • Enforcement and Private Right of Action: The NYPA authorizes the Attorney General to bring an action or special proceeding whenever it appears that a person has engaged or is about to engage in a violation of the law, with civil penalties of not more than $15,000 per violation (each instance of unlawful processing counts as a separate violation). And unlike comparable state laws, the NYPA would grant consumers a private right of action to enjoin violations of their rights under the law and to seek the greater of actual damages or liquidated damages in the amount of $1,000, along with attorney’s fees.  Contrary to other state consumer privacy bills introduced of late, such as Florida’s recently failed HB 969 or New York’s Biometric Privacy law, an organization found to have violated the NYPA does not have the opportunity to cure the violation before facing enforcement actions or litigation.

States across the country are contemplating ways to enhance their data privacy and security protections, with New York playing a leading role.  In addition to the reintroduction of the NYPA, there are other consumer privacy bills under consideration by the New York state legislature, and the New York City Council recently passed a data privacy bill that would impose rigorous requirements on owners of “Smart Access” buildings, and also created biometric information collection requirements for retail and hospitality businesses similar in kind to Illinois’s infamous Biometric Information Privacy Act (“BIPA”). Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

 

Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities.  These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers.  Customers will have a private right of action to remedy violations, subject to a 30-day notice and cure period, with damages ranging from $500 to $5,000 per violation, along with attorneys’ fees.

These new requirements, which are set forth in an amendment to Title 22 of the NYC Admin. Code (the “Amendment”), apply to “commercial establishments,” a three-pronged category that includes:

  1. Food and drink establishments: Establishments that give or offer for sale to the public food or beverages for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
  2. Places of entertainment: Privately or publicly owned and operated entertainment facilities, such as a theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, or other places where attractions, performances, concerts, exhibits, athletic games or contests are held.
  3. Retail stores: Establishments wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.

The Amendment broadly defines “biometric identifier information” as a physiological or biological characteristic used to identify an individual including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.

The Amendment will take effect amidst a flurry of data privacy and security activity in New York.

  • Last year, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”). DFS also announced a $1.5 million settlement with a residential mortgage services provider earlier this year.
  • In another recent development, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), which took effect in March 2020, requires organizations that own or license private information related to New York residents to, among other things, develop, implement, and maintain reasonable safeguards to protect that information, which includes biometric information.
  • Building on the momentum from Reg 500 and the SHIELD Act, several additional privacy bills are currently under consideration:
  • One is the Biometric Privacy Act, which, if enacted could make New York the next hotbed of class action litigation over biometric privacy.
  • Another is the Tenant Privacy Act, which, among other things, would require owners of “smart access” buildings – i.e., those that use key fobs, mobile apps, biometric identifiers, or other digital technologies to grant access to their buildings – to provide privacy policies to their tenants prior to collecting certain types of data from them, as well as to strictly limit (a) the categories and scope of data that the building owner collects from tenants, (b) how it uses that data (including a prohibition on data sales), and (c) how long it retains the data.
  • Additionally, New York is considering two bills – S567 and A680 – which would grant consumers sweeping privacy rights, comparable to those available under the CCPA in California and CDPA in Virginia.

Jackson Lewis’ Privacy, Data & Cybersecurity Group has been closely monitoring these fast-moving developments and is available to assist organizations with their compliance and risk mitigation efforts.

As access to COVID-19 vaccines becomes more prevalent, and we begin to conceptualize what a post-pandemic world might look like, many governments are assessing the idea of a COVID-19 vaccine passport framework.  In late March, the European Commission announced its plan for a COVID-19 Digital Green Certificate framework (“the framework”) to facilitate “safe free movement of citizens within the EU during the COVID-19 pandemic”. The Digital Green Certificate provides proof that an individual has either: 1) been vaccinated against COVID-19, 2) received a negative test result or 3) recovered from COVID-19.  But while the benefits to such a plan are clear, there are significant privacy and security issues to consider.

Shortly after the European Commission released the proposal of the framework, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the framework in respect to personal data protection implications (“the joint opinion”).  The joint opinion addressed the personal data implications of the framework, and highlighted, above all, that such a framework must be consistent and not conflict with application of the General Data Protection Regulations (“GDPR”), and that there should be adoption of adequate technical and organizational privacy and security measures in the context of the framework.

Below are key recommendations from the joint opinion:

  • Categories of Personal Data. While Annex I of the framework sets out categories and data fields of personal data that would be processed under the framework, the joint opinion emphasizes that the “justification for the need for such data fields” should also be included in the framework, as well as developing “more detailed data fields (sub-categories of data)…under the already defined categories of data should be added”. These revisions will help ensure that the framework is consistent with several GDRP principles including data minimization (i.e. not processing more than the data necessary to fulfil the purpose for which the data was collected) , purpose limitations (personal data shall only be collected for a specified, explicit and legitimate purpose) , and impact assessment (the obligation under the GDPR which requires controllers to conduct a data protection impact assessment before processing personal data would have to be redone if data fields were altered).
  • Adoption of Adequate Technical and Organizational Privacy and Security Measures in the Context of the Proposal. The joint opinion highlights that the framework should explicitly state that controllers and processors of personal data “shall take adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in line with Article 32 GDPR”.  Also included, the joint opinion suggests “the establishment of processes for a regular testing, assessment and evaluation of the effectiveness of the privacy and security measures adopted”, as well as including language in the framework consistent with the GDPR to prevent confusion and ensure relevance.  Finally, the joint opinion notes that adoption of privacy and security measures should be taken both at the time of the determination of the means for processing, as well as by the time of the processing itself.
  • Identification of controllers and processors. The joint opinion recommends that the framework specify “the list of all entities foreseen to be acting as controllers, processors and recipients of the data in that Member State”. Identifying these entities will provide EU citizens with an understanding of “whom they may turn to for the exercise of their data protection rights under the GDPR, including in particular the right to receive transparent information on the ways in which data subject’s rights may be exercised with respect tot the processing of personal data”.
  • Transparency and data subject’s rights. The personal data related to the framework is particularly sensitive.  As a result, the joint opinion urges the European Commission to “ensure that the transparency of the processes are clearly outlined for citizens to able to exercise their data protection rights”.
  • Data storage. The joint opinion notes that to ensure GDPR principles surrounding data storage principles (e.g. storing data no longer than is necessary for the purposes for which it was processed) in the context of the framework, where possible, the framework should “explicitly define” and if not possible, then at least provide the “specific criteria used to determine such storage period”.
  • International data transfers. Finally, the joint opinion recommends “explicitly clarifying whether and when any international transfers of data are expected” as well as including safeguards “to ensure that third countries will only process the personal data exchanged for the purposes specified” within the framework.

The EU is not the only region implementing or considering a vaccine passport program.  Israel’s vaccine passport, the Green Pass, is already up and running (available to the 80% of the adult  population that is fully vaccinated), and several private companies are trying to develop globalized vaccine passport programs.  For example, one large tech company’s vaccine passport technology is being tested by the State of New York, for some sports venues and arenas.  Likewise, another technology, the Common Pass  if implemented will help individuals when travelling globally to demonstrate their COVID-19 status. It is worth noting however, that some states are actively banning vaccine passport technology and requirements.  For example, just last week in Florida, Governor Ron DeSantis signed into law legislation prohibiting businesses, schools and government offices from requiring proof of vaccination, with fines of up to $5000. And in general, public support of vaccine passports in the U.S. seems to vary by activity. According to a recent Gallup poll the majority of Americans support proof of vaccination for travel by airplanes and attending events with large crowds. Conversely, Americans are less supportive of proof of vaccination at work, staying in a hotel or dining at a restaurant.

Whatever the program, the privacy and security considerations surrounding the collection of personal data are similar, and become increasingly complicated in the context of a global vaccine program where overlapping, and sometimes conflicting, data privacy and security laws and guidance come into play.   In the U.S. alone, there are numerous laws which may be implicated when vaccine related data is collected from individuals in the public or private setting – such as for employees or customers.  These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, and the CCPA.  In addition to statutory or regulatory mandates, organizations will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data. Moreover, if a vendor were involved in a vaccine passport program, contracts/agreements would need to include confidentiality, data security, and similar provisions. This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s employees or customers.

In short, a vaccine passport program may play a crucial role in ensuring a safe and healthy return to normalcy across the globe.  Nevertheless, the legal risks, challenges, and requirements of any such program, whether in the public and private forum, must be considered prior to implementation.