Mansour Gavin LPA | Labor and Employment, Real Estate and Land Use, Environment Health and Safety
 

Data privacy and the GDPR in 2019: what’s on the horizon?

By:  Jen Horn

When the European Union’s General Data Protection Regulation (GDPR) was introduced in May, one of the biggest questions was how the law was going to be enforced. The GDPR, which also applies to any U.S. company that handles the personal data of EU citizen, requires businesses to clearly state when they’re collecting personal data and ask for users’ consent in doing so. Many believe it will have implications for future data privacy rules in the United States as well. So far, it looks like the law is being taken seriously – regulators across the EU have already begun imposing fines.

Article 83 of the GDPR authorized data protection authorities (DPA) in EU member states to impose fines of up to approximately $22 million USD, or 2% of a company’s worldwide revenues, or, for serious violations, up to approximately $45 million USD, or 4% of a company’s worldwide revenues. However, Article 83 also required that fines had to be “effective, proportionate, and dissuasive.” The somewhat vague language left many companies wondering how large, exactly, the fines might be.

Their first example came in September, when the Austrian DPA fined the owner of a gambling shop because a camera at its front entrance also recorded footage of a public sidewalk. Interestingly, the Austrian DPA found this was a violation of the GDPR because it was considered a prohibited monitoring of public space. The fine, however, was approximately $5,000 USD plus legal costs, and the Austrian DPA acknowledged that the fine was meant to be “proportionate” to the violation.

A hospital in Portugal, however, was not quite as lucky. News was released in October that the unnamed hospital received a fine of approximately $455,000 USD for two separate violations. The first involved patient information that was found to be inappropriately available to non-medical staff; the second concerned the confidentiality and integrity of treatment systems. This is one of the highest fines imposed to date, and the hospital has stated it is appealing the penalty.

Most recently, a German chat platform was fined approximately $91,000 USD for a breach of user passwords that occurred in July. User information and passwords were stored in unencrypted plain text, and hackers managed to gain access to more than 800,000 email addresses and more than 1.5 million user names and passwords, some of which were later published on the Internet. Fortunately, the company’s handling of the event appears to have helped reduce the amount of its fine; the DPA report noted the company’s fast communication of the incident to its users, as well as its total cooperation with the DPA.

So what can this tell us about how the GDPR will be enforced? In sum, it appears that the law will be enforced fairly – but broadly. If a DPA is willing to impose a fine, however small, for a camera that captures too much of a public sidewalk, that’s a sign that the EU is serious about improving data privacy and security for consumers. Just as important, though, is that it also appears a company’s quick and comprehensive response to learning about an issue could lessen the amount of its fine.

By:  Jen Horn

Q:       I keep hearing about various data privacy regulations being passed, but my company does not do business overseas. Should I still be thinking about doing anything, and if so, why?

 A:      Yes, absolutely! The General Data Protection Regulation (GDPR) that took effect in May arguably has gotten the most press because of its global reach and implications. But just because your business doesn’t operate on a global scale doesn’t mean that you shouldn’t be proactive in addressing data privacy and/or cybersecurity issues.

First and foremost, as discussed in the article above, Ohio recently approved legislation that will provide a legal incentive for businesses with a cybersecurity program meeting certain criteria. Because data breaches and cybersecurity issues have unfortunately become a matter of when, rather than if, the smartest thing you can do is make sure your company has a plan in place. And if you already have a plan in place, make sure you set aside time annually, at a minimum, to review and update it in order to ensure compliance.

Ohio isn’t the only state taking measures to address data privacy and cybersecurity issues, however. California also passed legislation, the California Consumer Privacy Act of 2018 (CCPA), at the end of June. This new regulation, which is the first major data privacy law passed in the United States, will formally take effect on January 1, 2020. The CCPA gives “consumers” – defined as natural persons who are California residents for tax purposes – several key rights with respect to their personal information:

So why is the CCPA worth paying attention to? First, because it will affect an estimated 500,000 small to medium U.S. businesses – many of whom may not fall under the GDPR’s reach. But second, because California historically has been the first state to address privacy issues. In 2002, it became the first state to require notifications of data security breaches, and in 2004, it passed the first law requiring websites to have privacy policies. In other words, the CCPA could well be the first of many other state data privacy laws, or potentially even start the conversation on establishing national privacy legislation; it is a strong indicator of things to come.

Though the CCPA has been compared to the GDPR, don’t assume that being in compliance with GDPR means your company automatically complies with the CCPA – the two laws are not all that similar. For example, the CCPA defines “personal data” much more broadly, gives California consumers greater rights to access their personal data, and is stricter on data sharing for commercial purposes.

As things currently stand, the CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and (1) earn $25 million or more in annual revenue; or (2) hold the personal data of 50,000 or more California residents, households or devices on an annual basis; or (3) obtain at least half its revenue selling personal data of California residents.

Penalties for noncompliance with the CCPA are divided into two categories: Intentional and unintentional. Intentional violations are $7,500 per violation; unintentional violations are subject to a $2,500 fine per violation. Additionally, companies could be ordered in civil lawsuits to pay statutory damages between $100 and $750 per California consumer and incident, or actual damages – whichever is greater – on top of any other court-ordered relief.

For now, it would be wise for any business to start paying attention to how Ohio’s law is implemented in November, and to watch for changes to the CCPA prior to its 2020 execution. Furthermore, if you haven’t already, start tracking all personal information you might collect, use, and store, and what your corporate privacy policy says about personal information. Being proactive and assuming that the CCPA could become law across the country could save you significant time in the long run

By:  Jen Horn

Companies that take reasonable cybersecurity precautions against data breaches will have a distinct advantage starting in November. That’s because Ohio’s Data Protection Act, which Governor John Kasich signed in August, formally takes effect November 2nd.

The Act, the first legislation of its kind in the country, creates a legal incentive for businesses that maintain a recognized cybersecurity program. (Other states, such as New York, require a certain level of compliance with cybersecurity standards, but don’t offer any incentive to do so). Provided that its cybersecurity plan conforms to a certain framework, a company may invoke a “safe harbor defense” in Ohio to a cause of action that alleges a failure to implement reasonable IT security controls that resulted in a data breach.

In order to qualify for this legal defense, the business must implement a written cybersecurity plan that clearly does the following:

This is not a one-size-fits-all type of plan. It may be based on a company’s size, the nature and scope of its activities, the sensitivity of any personal information protected under the cybersecurity program, and the cost and availability of tools to improve IS and reduce vulnerabilities.

The one thing that any cybersecurity program must do, however, is “substantially comply” with one of eight industry-recognized frameworks, which include:

The Act does not provide companies with blanket immunity to a data breach lawsuit, and businesses do still have the burden of proving that their cybersecurity program complies with the law’s requirements. But as long as a business can establish compliance, the Act gives it an affirmative defense to tort actions (including invasion of privacy and negligence) that it might be facing following a data breach that involves personal or restricted information.

As we advise clients time and again, no-one is immune from the threat of a data breach, and companies should approach data security as a question of when a breach will happen, not if. The new Act will give Ohio businesses an advantage if they take the time to evaluate things like what data they create, maintain, or share, and create a cybersecurity program that is appropriate for their company.

Ohio’s Data Protection Act is also one of the first laws in the country to recognize documents secured by blockchain technology as legal documents. An amendment to the Act updated Ohio’s existing Uniform Electronic Transactions Law to now state that “a record or contract secured through blockchain technology is considered to be in an electronic form and to be an electronic record.”

Generally speaking, “blockchain technology” is what underlies the rapidly growing cryptocurrency market. Cryptocurrencies – the most popular of which at the moment is bitcoin – are virtual currencies that exist peer-to-peer. They were initially developed as a means of fixing perceived flaws with the way money is transmitted from one party to another. Apparent flaws include the amount of time it can take a cross-border financial transaction to clear, as well as the costs of a financial transaction.

Blockchain technology, then, is the digital and decentralized public ledger that records all transactions. Any time someone does anything with cryptocurrency, this virtual ledger tracks the transaction and encrypts it, to protect it from cybercriminals. But because blockchain is “decentralized,” meaning it is controlled by users and computer algorithms rather than a centralized bank, there is not one specific hub that stores all transaction data. Rather, it is stored in bits and pieces across the world. The transactions are distributed and recorded across multiple computers, ensuring there are multiple copies to prevent altering a transaction record. This allows the ledger to be easily verifiable despite being decentralized.

Recognizing documents that are part of blockchain transactions as “legal documents” will likely help to legitimize the technology in Ohio. Though blockchain has most frequently been tied with cryptocurrencies, proponents of the technology have indicated that blockchain could be very useful in other industries, including finance, health care, real estate, and supply chain management.

By:  Ed Patton

With President Donald Trump’s additional $200 billion dollars in trade tariffs on China now in effect, the focus turns to their impact. The tariffs, which began on Monday, encompass a wide variety of goods, ranging from seafood and vegetables to auto parts and construction material. And while they began at 10 percent, tariffs will increase to 25 percent on January 1, 2019. Effects of the tariffs will vary depending on what is purchased, with consumers seeing greater price increases on more expensive items such as televisions, cars, or homes and home renovations, due to increased costs on construction materials.

And businesses, some of which have been dealing with increased taxes on imports like steel and aluminum for months, will see costs increase further. The intent of tariffs is to help domestic companies by making their domestic product more affordable than the foreign alternative, but they don’t always have the desired effect. Manufacturers can end up being forced to lay off workers or increase prices for customers to offset their own price increases.

Whether President Trump’s latest tariffs on China will do anything to address the trade imbalance between the two nations remains to be seen; China responded by imposing penalties on $60 billion of U.S. products.

Mansour Gavin President Tony Coyne accepted an award for Cleveland’s Public Square from the American Planning Association on September 25, 2018. The APA added Public Square to its flagship program, Great Places in America. Coyne serves as Chairman of The Group Plan Commission, the group responsible for Public Square’s revitalization.

For more information on the award click here.

To view Public Square selected as A Great Place in America news release click here.

Jim Budzik will be a Speaker at the NBI Seminar – Human Resource Law: What You Need to Know Now – on October 1, 2018 in Akron Ohio.  Jim will be speaking on workplace behavior and privacy issues.

SEMINAR DETAILS:

Date:         Monday, October 1, 2018

Time:         9:00 AM – 4:30 PM

Location:   Doubletree Hotel – Akron/Fairlawn

Jim is a member of Mansour Gavin’s Labor and Employment Practice Group where his practice is focused on public and private sector employment law representing management and employers.

For more information about the Seminar or to register click here.

Mansour Gavin Shareholder John Monroe was recently quoted in a front-page article that appeared in the Cleveland Plain Dealer on August 12, 2018 regarding membership interest sales used to transfer title to real estate. When asked about recent legislative efforts to “close” the alleged legal loophole, Monroe opined that such efforts were “wrongheaded.” Monroe stated, “I’m not sure I see the need to close a loophole versus valuing property correctly.” He observed what many Northeast Ohio property owners have seen in their recent property revaluations, that “some properties in Northeast Ohio are dramatically undervalued while others are sharply overvalued, with little apparent logic.” Monroe suggested that “public officials should turn their focus away from entity sales and onto two things: better appraisals and broader tax reform.”

By:  Ken Smith

The Supreme Court of the United States recently issued a major decision in the case Epic Systems Corp. v. Lewis that upholds the rights of employers to require its employees to pursue individual arbitration for resolving employment disputes.

In Epic Systems, a company employee sought to file a lawsuit against his employer in federal court for failure to pay overtime wages under the Fair Labor Standards Act. The employee tried to file the case as a class action – in other words, on behalf of himself and similar employees who also were allegedly not paid overtime.  Traditionally, because individual claims generally don’t have high value, employees and their lawyers have filed class actions on behalf of a much larger group of employees to leverage settlements and increase legal fees. However, in this case,  the employee had signed an arbitration agreement that explicitly stated any claims relating to his employment would be subject to individual arbitration, and that any claims pertaining to different employees would be heard in separate arbitration proceedings. In other words, the agreements specifically prohibited class actions.

The employee challenged the arbitration agreement, in part, by alleging that the agreement violated the Fair Labor Standards Act. Specifically, the employee pointed to a part of the FLSA that allows for class action lawsuits and claimed that this conflicted with law authorizing the arbitration of employment disputes. The employee also alleged that forcing him to go to individual arbitration violated the National Labor Relations Act, which provides employees the right to engage in “concerted activities” for collective bargaining or other mutual aid or protection.

But the Supreme Court held that when Congress passed the Federal Arbitration Act in 1925, it evidenced a liberal federal policy favoring arbitration. In light of this policy favoring arbitration, the Supreme Court found that there was no conflict between the FLSA and the arbitration agreement. In order to escape from individual arbitration, the employee would have had to demonstrate that the arbitration agreement was entered into fraudulently, or that he was placed under duress when he signed the agreement, or that the agreement was so unfair that it should not be enforced. The employee did not claim any of those defenses.

Moreover, the Supreme Court found that the National Labor Relations Act focuses on the rights of employees to organize unions and bargain collectively. It does not say anything about class action lawsuits or that it overrules the Federal Arbitration Act.

Bottom line, the Epic Systems case is a strong endorsement from the Supreme Court that arbitration agreements are lawful and can be used for a wide variety of employment disputes. Even where employees seek to band together to bring a class action lawsuit in the court system, each employee who signed an arbitration agreement can instead be compelled to litigate his or her  claims in a separate arbitration proceeding. Epic Systems is a big win for employers who prefer the generally quicker, less costly arbitration process over being tied up in court. Employers are encouraged to consider arbitration clauses as part of their employment agreements and policies.

By:  Jim Budzik

Ohio’s public sector landscape will likely be changing dramatically, thanks to yesterday’s 5-4 U.S. Supreme Court vote in Janus v. American Federation of State, County, and Municipal Employees Council 31.  The Supreme Court overturned a 1977 decision that allowed “fair share,” or “agency,” fees to be collected from all public employees, regardless of whether they had joined a union. The rationale was that all employees benefitted from non-political activities, such as a union’s collective bargaining agreement or contract administration, even if certain employees were not members.

This ruling now means that non-union members in approximately two dozen states – Ohio being one of them – cannot be forced to pay fees to unions that represent public employees. Until yesterday, a public employer whose employees were represented by a union could require any employee to pay fees to the union where the collective bargaining agreement authorized such deductions.

The case was initially brought by Mark Janus, an Illinois public employee – and non-union member – who sued the American Federation of State, County and Municipal Employees Council 31 over the collection of fair share fees. Janus’s position was that the Illinois statute that allowed for the collection of such fees violated his right to free speech and free association under the U.S. Constitution’s First Amendment.

In siding with Janus, however, the Court stated that while the ruling “may cause unions to experience unpleasant transition costs in the short term,” that had to be weighed against all of the funds taken from non-union employees and transferred to public sector unions. This ruling now deprives unions of a key revenue stream, and could affect their ability both to attract new members and spend in political races.

Unions, which won both in district court and in the Seventh Circuit before the case was appealed to the Supreme Court, had argued in favor of keeping the fair share fees requirement for the following reasons:

Specifically in Ohio, the Court’s ruling means that Ohio House Bill 53, introduced in late 2017, now will change parts of Ohio’s collective bargaining law. The law currently allows a contract to contain a fair share fee provision. That provision is now invalid. House Bill 53 may also eliminate the “free rider” argument, because the bill would require employee organizations to only represent employees who are dues-paying members of the exclusive representative. Thus, only public employees in an appropriate bargaining unit who are members of the union would be eligible to collectively bargain with the Ohio public employer.

Finally, collective bargaining agreements would govern the wages and working conditions of only the employees who are members of the union. This could result in employees in the same job classification receiving different compensation and benefits, because union employees would be subject to the contract, while non-union employees would be subject to wages and working conditions set by the public employer.

The Janus ruling certainly stands to result in a measurable impact for a number of states, including the prohibition of fair share fees in public sector contracts across the United States.

In other words, stay tuned for further developments in the area.