Company representatives and legal experts based in the U.S. and the EU examined recent U.S. privacy developments, drawing from experiences with the EU’s General Data Protection Regulation in a webinar moderated by HR Policy’s Daniel Chasen, Vice President, Workplace Policy. In addition, panelists discussed NLRB General Counsel Jennifer Abruzzo’s new memo on employee monitoring and AI, which points to the significant employee relations implications of new privacy developments.
NLRB General Counsel Abruzzo’s new memo on employee monitoring sets high bar for employers: Last week, GC Abruzzo urged the Board in a memo to “adopt a new framework for protecting employees from intrusive or abusive forms of electronic monitoring and automated management that interfere with Section 7 activity.” GC Abruzzo’s proposal would require employers to disclose to employees the technologies used, reasons for deploying them, and information obtained. Alternatively, employers would have to demonstrate their use is “narrowly tailored to address a legitimate business need” which the Board does not find “outweighs Section 7 rights.” HR Policy General Counsel Roger King noted that this test would be an “exceedingly high bar” for employers to clear, with the scales balanced toward unions.
Meanwhile, beginning on January 1, 2023, the full suite of privacy rights granted under the California Consumer Privacy Act (CCPA) will apply to California-based employees, job applicants, and contractors. These include the right to delete, disclose, correct, and opt-in requirements to the processing of HR data. Mr. Nolan observed, “for companies that already have robust data privacy infrastructure, the immediate impact of the CCPA is something we can handle. Other companies will have to take a very hard look at their California footprint.” He further noted that the CPRA could be a catalyst for employees and union representatives to think more about data privacy, with the more immediate concern being that the California plaintiff’s bar will be quite focused on the issue. Mr. Cheng noted that a key question for companies to consider is how to inform employees about what types or categories of personal information you have collected or shared.
Lessons from Europe: Employers with operations in the EU must comply with similar requirements under the General Data Protection Regulation. Ms. Salas noted that a combination of individuals and works councils are bringing forward compliance issues with the GDPR. Ms. Crowley, in conveying that the GDPR has represented a “sea-change” in Europe, offered three key takeaways:
- A “records of processing activities” document could help set out all of data processing activities and justifications.
- Data purges are your friend—do not keep data any longer than needed and minimize which data you hold onto. In case of a compliance issue, it can be very difficult to justify data for the “just in case” option.
Mr. Hayes noted that “In the U.S. you have general entrepreneurial sovereignty regarding technology in the workplace, but that is much more restrained in Europe by a dense framework of laws. We are starting to see things shift in this way in California, which could be a culture shock for some companies.”
New worker privacy rights carry significant implications for employee relations function: Ms. Salas noted that as European Works Councils have pressed companies on GDPR compliance, the employee relations and IT functions have worked closely together. In particular, her role has required close cooperation with DXC Technology’s Data Privacy Officer. Mr. Nolan noted similar experiences, and that Raytheon’s regional data privacy leads have worked closely with regional employee relations professionals.
Join us next Wednesday at 12:00 PM ET for post-election analysis with Senator Mike Braun (R-IN), Representative Virginia Foxx (R-NC), and key Democratic congressional staff, with a focus on what employers can expect and the major issues that could arise in the 118th Congress.