After the implementation of the General Data Protection Regulation (GDPR) in May 2018, U.S. academic institutions continue to grapple with compliance issues. Institutions must address areas where there is exposure to risk and train their employees to minimize that exposure.
One area of risk is the flow of data. Who on campus is the gatekeeper handling the data? Most universities will have a Data Protection Officer (DPO) as required by Article 37 of the GDPR. Other campus GDPR actors may include University Counsel, Information Technology Officers, Information Security Officers, Human Resources, Admissions, Financial Aid, Research, International Programs, Online Education and others specific to an institution. Therefore, all of these employees must be well versed in the rules and consequences of GDPR.
A second area of risk is with third party vendors processing data. It may be difficult to ascertain who the responsible party is with more than one entity touching personal data. For example, a foreign national consents to personal data being processed in the U.S. However, some of the data processed by the U.S. institution may be transferred and stored in another non-EU country. Vendor negotiations, contracts and agreements are critical in this regard to protect institutional data.
The extraterritorial scope of the GDPR applies to U.S. institutions, especially those that have campuses in the European Union (EU) for study abroad. Additional documentation is required for student travel to the EU depending on where the personal data is stored, and separate acknowledgements are necessary for photos and video recording. A US institution with EU students within the EU must also comply with the GDPR.
Yet another area of risk is the GDPR’s Article 17, which indicates EU residents have the“right to be forgotten.” In other words, they can request erasure of stored personal data “without undue delay,” which may be problematic for institutions. Conflicting relevant U.S. federal or state laws prohibit the immediate deletion of such data. For universities, domestic laws take precedence over the GDPR. There is also a growing threat from fraudulent data requestors. Suspicious GDPR data requests often involve a generic template and must be evaluated individually to determine if it’s a legitimate inquiry. In the end, making sure your institution has the right structure in place, to respond to data requests, is critical. Indeed, you may risk a data compromise or data breach (whereby you allow unauthorized access) simply by not having the requisite protocols in place to verify legitimate inquiries.
Deep GDPR fines have been assessed on certain EU companies across a wide range of industries, but little as of the date of this publication in the area of higher education. Case law highlights include: Google (France fined $57 million), British Airways (U.K. $230 million before Brexit), Unicredit Bank S.A. (Romania over $143k), and a Medical Sector Controller (Austria over $60k).
The GDPR and other privacy laws are still evolving. In 2020, California will enact the California Consumer Privacy Act (CCPA), coined “GDPR Lite,” and detailed in a recent article by my colleagues. It will be one of the most sweeping data collection regulations affecting all U.S. based companies acting as private processors.
By now, you most likely have heard the phrase “OK Boomer.” What began as a meme, quickly went viral. Soon enough, Boomer’s themselves have been seen using the phrase in jest. Elizabeth Warren recently used it as the subject line of an email fundraiser (next to a winking emoji). The phrase was the subject of an entire editorial on the most recent CBS Sunday Morning episode. For those of you entirely out of the loop on this one: Dictionary.com lists “OK Boomer” as a “slang phrase” used “to call out or dismiss out of touch or close-minded opinions associated with the Baby Boomer generation and older people more generally.”
The phrase was apparently developed to capture the idea of Millennials and Generation Z being fed up with getting lectured by an older generation; an older generation whom they perceive to be leaving behind a multitude of unsolvable problems. Some are embracing the idea as proof that the younger generation is poised to get more involved and that change is imminent. But the phrase can be seen as discriminatory and ageist.
Yes, trends are cool. Yes, memes are fun. But, the workplace is NOT the place to roll out new material. Ever. And, do you know what is definitely not fun or cool? Being the subject of a harassment complaint and workplace investigation. Or better yet, being named in an age discrimination lawsuit with your repeated use of the phrase, “OK Boomer” serving as proof that your company harbors discriminatory animus towards its older employees.
As noted on the EEOC’s website, “Although the law doesn’t prohibit simple teasing, offhand comments, or isolated incidents that aren’t very serious, harassment is illegal when it is so frequent or severe that it creates a hostile or offensive work environment or when it results in an adverse employment decision (such as the victim being fired or demoted).” In other words, using the phrase without anything else is not likely going to be deemed to constitute a “hostile work environment.” However, using the phrase casually and carelessly at work can certainly be enough to create the existence of a claim. And while the claim may be defensible by an employer, the term “defensible” often equates to “expensive” in terms of lawyer fees, lost time, decreased productivity, reduced morale, etc. Accordingly, the phrase cannot be viewed as harmless and instead should not be tolerated in the workplace.
In Stanley Kubrick’s 1968 epic 2001:
A Space Odyssey, HAL 9000, a fictional artificial intelligence machine,
helps guide a space mission to Jupiter, but through the course of the film is
revealed to be a villainous presence. Fast forward 50 years and, although
artificial intelligence (AI) has yet to lead a crew of astronauts to Jupiter,
AI now pervades our lives in many seen and unseen ways, including employment
recruiting. For example, AI commonly helps companies sort through
voluminous resumes to identify qualified candidates. By some estimates,
roughly 40 percent of employers have included AI in the hiring process.
Most recently, AI “interview bots” have
become a popular tool in HR departments. They utilize different algorithms
and methods to evaluate a candidate’s facial expressions, body language, word
choice and tone among other factors to create a candidate profile or provide
feedback to the employer. While HAL has not reached the workplace just
yet, AI interview bots have raised some concerns particularly in
January 1, 2020, Illinois will regulate AI interviewing programs through the
first-of-its-kind Artificial Intelligence Video Interview Act, 820 ILCS 42/5.
An employer that asks applicants to record video interviews and uses AI
analysis when considering applicants for positions based in Illinois must take
steps before asking applicants to submit to the video interviews. The
Notify each applicant before the interview that AI may be used to analyze the
applicant’s video interview and consider the applicant’s fitness for the
Provide each applicant with information before the interview explaining how the
AI works and what general types of characteristics it uses to evaluate
Obtain, before the interview, consent from the applicant to be evaluated by the
An employer may not use AI to evaluate
applicants who have not consented to the use of AI analysis and may only share
a video interview with persons whose expertise or technology are necessary to
assess the applicant’s fitness for a position. The video interview also
must be destroyed within 30 days upon request of the applicant. However,
the new law leaves some questions unanswered, including what exactly qualifies
as AI and what are the specific consequences for a violation.
Illinois has emerged as something of a
leader in workplace technology laws, now regulating both AI and the use of
employee biometric information. It is perhaps appropriate given HAL’s
fictional creation at the University of Illinois. Illinois employers that
utilize these technologies in the workplace need to stay attuned to the recent
regulatory developments before they create very real legal
September 23, 2019 the IRS issued final regulations updating the rules
governing hardship distributions from 401(k) and 403(b) plans. They are
generally similar to the proposed regulations issued late last year and
primarily reflect changes made by the 2018 Tax Cuts and Jobs Act and the
Bipartisan Budget Act of 2018.
Some of the changes in the final regulations are mandatory, requiring employers to take action by January 1, 2020.
Eliminates of the 6-month contribution suspension requirement
Beginning January 1, 2020, 401(k) and 403(b) plans will no longer be able to suspend contributions following a hardship distribution. Plans are required to eliminate the suspension period that barred participants who take a hardship distribution from making new contributions to the plan for 6 or more months.
2. Eliminates the plan loan requirement
The new rule removes the requirement that participants take a loan from the plan before taking a hardship withdrawal. Unlike the elimination of the 6-month suspension period, this change is optional. Plans may continue to require participants take a plan loan before being eligible for a hardship withdrawal.
3. Expands contribution sources available for hardship distributions
The final rule permits (but does not require) a 401(k) plan sponsor to allow hardship distributions of elective deferrals, QNECs, QMACs, and all earnings thereon. Previously, employees could only withdraw elective deferrals (and not earnings). Earnings on 403(b) contributions and certain 403(b) plan QNECs and QMACs remain ineligible for hardship withdrawals.
4. Provides disaster relief
take a hardship withdrawal, employees currently must show an immediate and
heavy financial need that involves one or more of the following: (1) purchase
of a primary residence; (2) expenses to repair damage or to make improvements
to a primary residence; (3) preventing eviction or foreclosure from a primary
residence; (4) post-secondary education expenses for the upcoming 12 months for
participants, spouses and children; (5) funeral expenses; and (6) medical
expenses not covered by insurance.
final rule adds a seventh safe harbor category for expenses resulting from a
federally declared disaster.
5. Eases hardship verification requirements
current rules, plan administrators must take into account “all relevant
facts and circumstances” to determine if a hardship withdrawal is
necessary. The new rule requires only that a distribution not exceed the amount
of the employee’s need (including taxes), that the employee first obtains any
other distributions available under the plan, and that the employee represents
that he or she has insufficient cash or liquid assets “reasonably available” to
satisfy the financial need.
representations can be made over the phone, if the call is recorded, or can be
made in writing or by e-mail. A plan administrator may rely on an employee’s
representation unless the plan administrator has actual knowledge to the
contrary. Plans are required to apply this standard starting in 2020.
plans that permit hardship distributions will need to be amended to reflect the
new rules by December 31, 2021, but operational changes must comply with the
new rule beginning January 1, 2020.
Employee time sheets on table with coffee and calculator
The US Department of Labor (DOL) has issued a proposed amendment to the regulation governing the fluctuating workweek (29 CFR 778.114). The fluctuating workweek can be used to calculate overtime for an employee whose hours fluctuate from week to week based on the nature of the job. The DOL’s proposed amendment is to clarify that there is no issue with paying a bonus, shift premium, or additional pay to someone who is being paid via the fluctuating workweek method, but such extra payment will increase the regular rate of pay for calculating overtime unless the additional pay meets an exclusion from the Fair Labor Standards Act. This is a change in position since in 2011, during the Obama administration, the preamble to 29 CFR 778.114 added language that any additional pay other than the salary was inconsistent with the fluctuating workweek.
The fluctuating workweek method allows an employer to pay a non-exempt employee a salary and then pay overtime at a 0.5 multiplier. This method is only applicable if the following conditions are met: (1) the employee works hours that fluctuate from week to week; (2) the employee receives a fixed salary that does not vary with the number of hours worked in the workweek, whether few or many; (3) the amount of employee’s fixed salary is sufficient to provide compensation to the employee at a rate not less than the applicable minimum wage rate for every hour worked in those workweeks in which the number of hours the employee works is greatest; (4) the employee and the employer have a clear and mutual understanding that the fixed salary is compensation (apart from overtime premiums) for the total hours worked each workweek regardless of the number of hours; and (5) the employee receives overtime compensation at a rate of not less than one-half the employee’s regular rate of pay for that workweek.
The fluctuating workweek method is permissible under the FLSA and under some state laws (including IL, IN, WI and MO). However, employers should review state law for compliance since not all states (including CA) have adopted this method of overtime payment.
The proposed rule will be available for comment for 30 days from November 5, 2019. After the comment period is over, the DOL will review the comments and determine if any changes to the rule will be made. Thereafter, the DOL will issue a final rule. We have seen the DOL acting more swiftly in rulemaking this year but based on the timing of the comment period, we do not anticipate this rule going into effect until sometime in 2020.
Contributed by Jeffrey A. Risch, November 15, 2019As Illinois set out to become the first state to legalize recreational cannabis through statutory authority, the legislative intent for protections for employers and the workplace were intended to include some of the strongest in the nation. However, when the dust settled and the statutory framework was analyzed, there appeared to be room for reasonable minds to have differing opinions on what the law actually meant for the workplace.
clipboard and pen.
On one hand, could employers lawfully implement reasonable, non-discriminatory drug testing policies aimed at prohibiting applicants and employees from lawfully using recreational cannabis and gaining or maintaining employment? On the other hand, would employers be violating the law if they did not hire someone who tested positive for THC or if they could not ultimately demonstrate that an employee was actually impaired while on the job? These sorts of questions lingered. A quick online search trying to find answers would only frustrate HR professionals, safety managers, and business owners further. Clarity was needed.Therefore, through the efforts of several business groups and trade associations (including the Illinois Chamber of Commerce) working across both political aisles, SB1557 passed the Illinois General Assembly on November 14, 2019. While SB1557 includes wrinkles for the licensing, manufacturing and distribution of recreational cannabis in Illinois, it also contains language found below designed to protect employers from litigation.In essence, the language attempts to clear up concern that an employer may have been required to show actual impairment in the workplace vs. simply being able to implement and follow a reasonable, non-discriminatory drug testing policy. Specifically, Section 10-50 of the law will now read as follows (changes in bold):
(410 ILCS 705/10-50) Sec. 10-50. Employment; employer liability.(a) Nothing in this Act shall prohibit an employer from adopting reasonable zero tolerance or drug free workplace policies, or employment policies concerning drug testing, smoking, consumption, storage, or use of cannabis in the workplace or while on call provided that the policy is applied in a nondiscriminatory manner.(b) Nothing in this Act shall require an employer to permit an employee to be under the influence of or use cannabis in the employer’s workplace or while performing the employee’s job duties or while on call.(c) Nothing in this Act shall limit or prevent an employer from disciplining an employee or terminating employment of an employee for violating an employer’s employment policies or workplace drug policy.(d) An employer may consider an employee to be impaired or under the influence of cannabis if the employer has a good faith belief that an employee manifests specific, articulable symptoms while working that decrease or lessen the employee’s performance of the duties or tasks of the employee’s job position, including symptoms of the employee’s speech, physical dexterity, agility, coordination, demeanor, irrational or unusual behavior, or negligence or carelessness in operating equipment or machinery; disregard for the safety of the employee or others, or involvement in any accident that results in serious damage to equipment or property; disruption of a production or manufacturing process; or carelessness that results in any injury to the employee or others. If an employer elects to discipline an employee on the basis that the employee is under the influence or impaired by cannabis, the employer must afford the employee a reasonable opportunity to contest the basis of the determination.(e) Nothing in this Act shall be construed to create or imply a cause of action for any person against an employer for:
actions taken pursuant to an employer’s reasonable workplace drug policy, including but not limited to subjecting an employee or applicant to reasonable drug and alcohol testing, reasonable and nondiscriminatory random drug testing, and discipline, termination of employment, or withdrawal of a job offer due to a failure of a drug test;, including but not limited to subjecting an employee or applicant to reasonable drug and alcohol testing under the employer’s workplace drug policy, including an employee’s refusal to be tested or to cooperate in testing procedures or disciplining or termination of employment;actions based on the employer’s good faith belief that an employee used or possessed cannabis in the employer’s workplace or while performing the employee’s job duties or while on call in violation of the employer’s employment policies;actions, including discipline or termination of employment, based on the employer’s good faith belief that an employee was impaired as a result of the use of cannabis, or under the influence of cannabis, while at the employer’s workplace or while performing the employee’s job duties or while on call in violation of the employer’s workplace drug policy; orinjury, loss, or liability to a third party if the employer neither knew nor had reason to know that the employee was impaired.
(f) Nothing in this Act shall be construed to enhance or diminish protections afforded by any other law, including but not limited to the Compassionate Use of Medical Cannabis Pilot Program Act or the Opioid Alternative Pilot Program.(g) Nothing in this Act shall be construed to interfere with any federal, state, or local restrictions on employment including, but not limited to, the United States Department of Transportation regulation 49 CFR 40.151(e) or impact an employer’s ability to comply with federal or state law or cause it to lose a federal or state contract or funding.(h) As used in this Section, “workplace” means the employer’s premises, including any building, real property, and parking area under the control of the employer or area used by an employee while in the performance of the employee’s job duties, and vehicles, whether leased, rented, or owned. “Workplace” may be further defined by the employer’s written employment policy, provided that the policy is consistent with this Section.(i) For purposes of this Section, an employee is deemed “on call” when such employee is scheduled with at least 24 hours’ notice by his or her employer to be on standby or otherwise responsible for performing tasks related to his or her employment either at the employer’s premises or other previously designated location by his or her employer or supervisor to perform a work-related task.
Additionally, much needed clarification for public employers was also included concerning how off duty use of cannabis by certain emergency personnel should be administered. The following was added to Section 10-35. Limitations and penalties:
(410 ILCS 705/10-35)(8) the use of cannabis by a law enforcement officer, corrections officer, probation officer, or firefighter while on duty;nothing in this Act prevents a public employer of law enforcement officers, corrections officers, probation officers, paramedics, or firefighters from prohibiting or taking disciplinary action for the consumption, possession, sales, purchase, or delivery of cannabis or cannabis-infused substances while on or off duty, unless provided for in the employer’s policies. However, an employer may not take adverse employment action against an employee based solely on the lawful possession or consumption of cannabis or cannabis-infused substances by members of the employee’s household. To the extent that this Section conflicts with any applicable collective bargaining agreement, the provisions of the collective bargaining agreement shall prevail. Further, nothing inthis Act shall be construed to limit in any way the right to collectively bargain over the subject matters contained in this Act;
These changes help to better assure employers that they have the ability to implement fair, reasonable drug testing policies designed to protect their employees and the public. Recreational consumers will certainly have the legal right to use cannabis, but the employer should have the legal right to say “you better not have THC in your system to become or remain employed here.” Of course, any drug testing policy must be carefully vetted, designed, and implemented. After all, lawyers will be lawyers.
While many questions still remain and medicinal usage requires a different analysis (for now) it appears employers can take better comfort and be more confident in creating policy designed to maintain a safe and healthy workplace through reasonable drug testing policies. However, employers must continue to carefully examine their own unique industry, risks and risk tolerances, together with their geographic footprint and applicant pool. The drug testing policy and drug-free workplace program for the “widget manufacturer” in Peoria is likely to be vastly different than that of the “accounting firm” in Schaumburg.
Flu season is here and that likely means employers can hear
sneezing and sniffling up and down the hallways at work. Sick employees
are less productive and their absences can disrupt an employer’s
operations. Worse still, sick employees may come into work and spread an
illness to coworkers, exacerbating the problem. According to the U.S.
Center for Disease Control (CDC), recent studies show that flu vaccinations
reduce the risk of flu by between 40 and 60 percent. Given this,
employers may wish they could mandate that all employees receive a flu
vaccination. But can they?
For those employers outside the
healthcare field, the answer is probably not. The Americans with
Disabilities Act (ADA) allows employers to submit their employees to certain
health screenings and inquiries depending on what point in the stage of
employment the screening or inquiry takes place. Per the federal
regulations supplementing the ADA, employers are generally prohibited from
asking any disability-related questions or requesting any medical exams before
a conditional offer of employment is extended to the applicant. Once an
offer of employment is made, an employer may require a medical examination if
the same examination is used for all entering employees in that job category.
If an employer uses certain criteria from these examinations to screen out
employees, those criteria must be job-related and consistent with business
As for current employees, the ADA
generally prohibits employers from mandating that employees receive any medical
testing or vaccinations unless they are job-related, consistent with business
necessity, and no more intrusive than necessary. This is a very difficult
standard to meet unless the employer is part of the healthcare field or otherwise
requires employees to regularly interact with immune-compromised clients,
patients, or customers.
But there are several practices that employers can take to
encourage employees to receive vaccines short of job-contingent mandates.
Employees are more likely to get vaccinated if it is easy and affordable to do
so. Employers may want to subsidize the cost of vaccines, allow paid time
off to go get vaccines, or offer vaccines at the workplace to reduce any
As for employers in the healthcare field, courts have
repeatedly upheld an employer’s right to require that employees receive
vaccinations if they work directly with patients – such as a nurse, doctor, or
patient care assistant – or if they handle materials that could spread infection
– such as a lab technician. The CDC recommends that these healthcare
workers receive vaccinations for hepatitis B, flu, measles, mumps, rubella,
chickenpox, tetanus, diphtheria, pertussis, and meningococcal diseases.
Mandating vaccines, even in the healthcare field, is not
without legal risks of which employers should be aware. The U.S. Equal
Employment Opportunity Commission takes the position that healthcare employers
must consider exemptions for those employees who cannot receive vaccines for reasons
related to disability, pregnancy, or religion. Employers should analyze
each request for exemption on a case-by-case basis, including review of the
employee’s job position, as well as the employee’s particular religious belief
or medical documentation corroborating the disability at issue.
For employees who object to vaccines based on religious
grounds, employers should first determine if the employee sincerely holds the
religious belief. Courts do not overly scrutinize this question.
While the belief cannot be social, political, or personal to qualify as a
sincerely-held religious belief, courts cast a fairly wide net as to what
religious-based beliefs will provide protection under Title VII. The
religious belief may be newly adopted, inconsistently observed, not part of a
formal church or sect’s religious practice, or different from the commonly
followed tenants of the individual’s religion. As an example of the broad
interpretation of sincerely-held religious beliefs, courts have determined that
veganism may constitute a religion where an employee protests receiving a
vaccine containing animal products, such as eggs.
For employees who seek an exemption from mandatory vaccines
based on their disabilities, the employer may ask for medical documentation
corroborating the disability. Some examples of disabilities that may
preclude employees from receiving certain vaccinations include life-threatening
allergies, diseases that compromise the employee’s immune system, or – in the
case of a recent Third Circuit Court of Appeals case – a severe and
well-documented anxiety associated with the side effects of receiving vaccines.
Once an employer determines that an employee is objecting to
a mandatory vaccine based on a sincerely-held religious belief or documented
disability, the employer must determine whether allowing the employee an
exemption from the vaccine creates an undue burden on the organization.
For exemptions based on disabilities, the employer may also similarly consider
if the exemption would create a direct threat to the employee, his or her
coworkers, or the organization’s patients. This inquiry is often directly
related to the employee’s position. While it may be feasible to exempt a
hospital billing clerk from mandatory vaccines, the same is likely not true for
a pediatric nurse working with young patients who are particularly vulnerable
in the NICU.
The employer should also consider if there are alternatives
that could sufficiently protect the employee and patients short of requiring
the vaccine, whether it be requiring the employee to wear a mask or
transferring the employee to a position with less patient contact. If the
employer determines that exempting the employee will create an undue burden, it
can require the vaccine as a condition of further employment, but this decision
should be documented with a clear explanation as to why the vaccine is
job-related, no more intrusive than necessary and consistent with business
necessity. The employer must also monitor and ensure that it conducts the
exemption consideration and decision process consistently for all employees.
The key to handling requests for exemptions is to ensure
that the consideration focuses on the specific concerns of the particular
employee and encompasses an open and back-and-forth dialogue with the
employee. Sometimes learning more about the employee’s specific concerns
will lead to a solution. For example, an employee objecting to a vaccine
on religious grounds because the vaccine contains animal cells may be willing
to accept an alternative version of the vaccination that does not contain the