The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens).

Who must comply? The GDPR applies to any company that has personal information of EU residents or citizens or that conducts business in the EU, regardless of its home country.

What is the risk of non-compliance? The GDPR mandates documented compliance. The regulations provide for substantial fines of up to €20 million or 4 percent of global revenues for noncompliance. Willful non-compliance is most heavily fined under this tiered system.

How far along are most companies as to compliance? The consulting firm Gartner estimates that more than half of the companies that are subject to the GDPR will not be in compliance throughout this year. They will be at risk.

Who will adopt the regulations? All 28 EU members, plus Iceland, Norway, and Liechtenstein (collectively known as the “European Economic Area”), and likely the United Kingdom, will adopt the regulations.

Will the regulations be enforced extraterritorially? The GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents (again, not just citizens).

How is “personal data” defined? The definition includes any information as to a human being (called a “data subject”) that can directly or indirectly identify him or her, including, but not limited to, names; birthdates; physical addresses; email and IP addresses; and health, biometric, and demographic information.

What constitutes compliance? In general terms, a subject company must limit the use of the retained personal data and maintain it securely.

  • Explicit consent is required for each processing activity as to any covered datum.
  • Access, free of charge, must be afforded to any data subject on request to a “data controller” (a person at the company charged with maintaining data), who, in turn, must assure that any “data processor” (any person or company that takes data from consumers and manipulates or uses it in some way to then pass along information to a third party) is compliant as to the requested action.
  • Data subjects have the right to be “forgotten, i.e., to have their data expunged, and may revoke consent at will.

What does the GDPR require if there is a data breach? Data breaches that “may” pose a risk to individuals must be notified officially within 72 hours and to affected persons without undue delay.

This, of course, is only an outline of GDPR requirements and procedures. Any specific advice only can be provided knowing an individual company’s circumstances and needs. One does note that, as is the case in other regards, for example, antitrust, the assumptions prevalent within the EU are decidedly different from those in the United States. As a number of commentators have observed, while there is no defined “right of privacy” in the United States, a company is required to preserve information, including PII and personal health information, or PHI, in the event of litigation. In Europe, which has very limited litigation discovery, there is a defined right of privacy and individuals can cause data describing them to be erased (“forgotten”).

Many of you know also that there is a case pending a decision in the Supreme Court of the United States involving whether the U.S. government can compel Microsoft to produce PII that is collected and stored outside of the United States. An affirmative decision might create a conflict of law that will complicate the data retention abilities of American companies doing business overseas. So stay tuned.

Featured on Employment Law This Week:  A California federal judge has ruled that a former GrubHub delivery driver was an independent contractor, not an employee.

The judge found that the company did not have the required control over its drivers for the plaintiff to establish that he is an employee. This decision comes as companies like Uber and Lyft are also facing lawsuits that accuse them of misclassifying employees as independent contractors. Carlos Becerra, from Epstein Becker Green, has more.

Watch the segment below and read our recent post.

James D. Schutzer is the Vice President at JDM Benefits, a consulting group that provides strategic benefits services to small and mid-size employers. His career in healthcare spans over 20 years and has included leadership roles in employee benefits and insurance sales. He spent 10 years working in sales for carriers like Wellpoint and Oxford Health Plans. Jamie frequently presents and lectures to many organizations on the topic of the Affordable Care Act and sat on the New York State Health Benefit Exchange Regional Advisory Council. In addition, Jamie is the Immediate Past President of New York State Association of Health Underwriters (NYSAHU) as well as Legislative Co-Chair, and is an Executive Committee member of the Business Council of Westchester, and currently serves as Treasurer. In December 2015, Jamie was named in the Employee Benefit Adviser as one of the 14 politically active brokers to know across the U.S.

While attempts to fully repeal and replace the Affordable Care Act in 2017 did not come to fruition, several developments are taking on momentum which will surely shape the ability of employers to sponsor insured health plans for their employees in the future. From the repeal of the individual mandate penalty, expansion of association health plans, State proposals to increase taxes on insurers, referenced-based pricing and new “blockchain” models to purchase services directly for employees, the insured markets will be under increasing stress to survive. It is possible that these trends will accelerate the collapse of the insurance markets and usher in a government provided single payer system, and/or self-directed mode of procuring healthcare via blockchain technology.  I recently sat down with James Schutzer to discuss the evolving landscape in employer-provided group healthcare and obtain his insights regarding how these changes will impact costs and the future of employer-provided health insurance.

Michelle Capezza: How do you see the repeal of the individual mandate impacting the insurance markets and the ability of employers to obtain affordable insurance plans for their employees?

James Schutzer: For starters, the individual mandate penalty lacked the teeth from the beginning and I think it is still difficult to ascertain how many people enrolled in health insurance to avoid the penalty. There are different reports out in the market which argue the point from both sides. As an employee benefits advisor, I have seen a slight uptick in enrollment in employer sponsored coverage for the reason that employees want to avoid the individual mandate penalty. Therefore, I do not see the elimination of the individual mandate having a significant impact in the employer sponsored market. Plus, the employer mandate still exists as of this time and Applicable Large Employers are required to offer insurance or pay a penalty.

MC: For employers that seek to utilize the new rules expanding the ability to form association health plans (AHPs), how will this increase the adverse selection issues already straining insurance markets?

JS: One concern related to AHP’s is that they can possibly siphon off the “perceived” good risk leaving the older and sicker members in the small group market. This will certainly create a death spiral. Another concern is that employers can jump in and out of the small group market based on medical needs. I believe the proposed regulations try to address and prevent this type of behavior. I know the National Association of Insurance Commissioners has come out in opposition to AHP’s.

MC: How do you see these developments impacting an employer’s decision to sponsor a high deductible health plan with access to a health savings account for its employees versus self-funding a plan? Are these still viable modes of delivering employer-sponsored health coverage to employees?

JS: High deductible health plans with a health savings account are still growing but I have seen the pace slow down the last couple of years. One important piece which is still not readily available is the price transparency tools which enable people to be better healthcare consumers. On the other hand, we are seeing more employers testing the waters with partially self insured plans. There are many benefits to this strategy but it does come with risks. It is critical that the employer completely understands the inner workings of being partially self insured. Picking the right individual and aggregate stop loss, provider network, pharmacy benefit manager among other things is vital to the success of the plan.

MC: What is your view regarding the viability of referenced-based pricing models for employer-provided health insurance?

JS: Referenced based pricing (RBP) is a newer concept that is starting to break into the Northeast. This market is generally slower to adapt to change but RBP is proving to save employers money in other parts of the country. Hospital and major surgical costs have exploded and RBP is trying to tackle this issue head on by identifying the true cost basis and providing payment based on this data. Employers with a partially self funded plan rely on a “leased” network for their discounts when their employees utilize healthcare. This contracted rate is what the employer is responsible to pay (outside of the employee’s copay, deductible, etc). RBP looks to further peel back layers of hospital and high cost surgical claims and offer a more “fair” payment. In return, the employer’s costs are lowered. The one challenge to RBP is the potential for balanced billing but there are RBP vendors employers can work with to assist in defending the payment.

MC: Given the complexities of these markets and programs, it is no wonder blockchain is being applied to healthcare, and household name employers are beginning to develop models to contract directly with healthcare service providers and pharmaceutical companies and use their own technology to administer claims. It seems that if more transparency in pricing can be obtained, this would lend itself to blockchain purchases. How do you see this evolving, and do you think an AHP could operate this way?

JS: Yes, the blockchain phenomenon is creeping into healthcare. As I mentioned before, transparency is so badly needed in healthcare and blockchain might be the right conduit to deliver it. Healthcare is the only area I can think of where you do not know the cost of the service until after it has been performed. Although some progress has been made over time, there is still plenty of work to be done. Can you imagine needing a hip replacement and having the ability to price out the surgery in advance? But something which cannot be overlooked are the outcomes and the data to support this is sorely needed as well. Blockchain can definitely have an impact here as well as data can be easily accessible.

MC: As more individual data is collected via electronic medical records, and through direct blockchain purchasing developments, and other technology based tracking and healthcare delivery systems, do you see such Big Data being collated, analyzed and utilized to drive value based pricing initiatives and influence certain healthy behaviors?

JS: As I mentioned above, data is a key to bending the healthcare cost curve. I recently bought a new television and the research I was able to do online was remarkable. Brand, dimensions, reviews, prices…all at my fingertips. It would be a game changer if this type of data becomes available in the healthcare industry.

MC: Given these developments, do you see a potential for the pendulum to swing to a U.S. government-provided system of healthcare, requiring all employers and individuals to pay into such a system with increased payroll and income taxes, and perhaps requiring individuals to use blockchain technology to self direct their allotted government healthcare dollars to purchase healthcare services?

JS: I believe we must leave healthcare in the hands of the free market system as opposed to the government. I believe we are in the very early stages of a sea change in the healthcare industry. The current system is just not sustainable in the long run and although we can put band aids on the problem ultimately, there must be some major changes in the delivery system. We have the tools….now we have to figure out how to use them to our advantage.

MC: Thank you. Clearly there are many approaches to providing and obtaining health insurance. As cost pressures increase and the desire for transparency rises, it will be important to monitor which path stands.

Our colleague Daniel R. Levy, at Epstein Becker Green, has a post on the Trade Secrets & Employee Mobility blog that will be of interest to our readers: “It’s a Brave New World: Protecting Trade Secrets When Traveling Abroad with Electronic Devices.

Following is an excerpt:

Consider the following scenario: your organization holds an annual meeting with all Research & Development employees for the purpose of having an open discussion between thought leaders and R&D regarding product-development capabilities. This year’s meeting is scheduled outside the United States and next year’s will be within the U.S. with all non-U.S. R&D employees traveling into the U.S. to attend. For each meeting, your employees may be subject to a search of their electronic devices, including any laptop that may contain your company’s trade secrets. Pursuant to a new directive issued in January 2018 by the U.S. Custom and Border Protection (“CBP”), the electronic devices of all individuals, including U.S. citizens and U.S. residents, may be subject to search upon entry into (or leaving) the U.S. by the CBP. …

Read the full post here.

Our colleagues , at Epstein Becker Green, have a post on the Wage and Hour Defense Blog that will be of interest to many of our readers in the technology industry: “Labor Issues in the Gig Economy: Federal Court Concludes That GrubHub Delivery Drivers are Independent Contractors under California Law.”

Following is an excerpt:

Recently, a number of proposed class and collective action lawsuits have been filed on behalf of so-called “gig economy” workers, alleging that such workers have been misclassified as independent contractors. How these workers are classified is critical not only for workers seeking wage, injury and discrimination protections only available to employees, but also to employers desiring to avoid legal risks and costs conferred by employee status.  While a number of cases have been tried regarding other types of independent contractor arrangements (e.g., taxi drivers, insurance agents, etc.), few, if any, of these types of cases have made it through a trial on the merits – until now.

In Lawson v. GrubHub, Inc., the plaintiff, Raef Lawson, a GrubHub restaurant delivery driver, alleged that GrubHub misclassified him as an independent contractor in violation of California’s minimum wage, overtime, and expense reimbursement laws.  In September and October 2017, Lawson tried his claims before a federal magistrate judge in San Francisco.  After considering the evidence and the relevant law, on February 8, 2018, the magistrate judge found that, while some factors weighed in favor of concluding that Lawson was an employee of GrubHub, the balance of factors weighed against an employment relationship, concluding that he was an independent contractor. …

Read the full post here.

On January 30, in New York City, our colleague Michelle Capezza of Epstein Becker Green will be a panelist at the “2018 Technology Economic & Financial Outlook,” hosted by the New Jersey Tech Council (NJTC).

From the “internet of things,” to the cloud, to autonomous cars, there is not a single industry segment that has not leveraged technology to develop better products and services for the benefit of their customers as well as their stakeholders.  As technology makes the world smaller, it also opens up endless opportunities for creativity and innovation. The panel will discuss the impact that technology will have in 2018 on the regional, domestic, and global economic and financial environment.

For more information, visit NJTC.org.

Steven R. Blackburn, Member of the Firm in the Employment, Labor & Workforce Management practice will co-present a Practising Law Institute in-person event and webcast on January 25, 2018 at 10:00 a.m. PST titled “Tech Sector Employment Law Hot Topics for the California Lawyer.

This event will address current California employment law issues, with the added focus of how the latest, state-specific legal developments impact the tech sector, in particular.

Steven R. Blackburn’s program is titled, “Sexual Harassment in the Tech Sector – Employer Duties, Investigations and Managing Claims,” and will address the following:

  • Employer, board and fiduciary duties in a harassment claim
  • Avoiding common pitfalls when investigating harassment
  • Assessing risk vulnerability to high level employees
  • Recent wave of sexual harassment revelations – what makes this time different?
  • Social media’s role in exposing sexual harassment, it’s impact in how investigations are managed

MCLE credit is available for participating in the program.

For more information and to register for this webcast, click here.

As 2017 comes to a close, recent headlines have underscored the importance of compliance and training. In this Take 5, we review major workforce management issues in 2017, and their impact, and offer critical actions that employers should consider to minimize exposure:

  1. Addressing Workplace Sexual Harassment in the Wake of #MeToo
  2. A Busy 2017 Sets the Stage for Further Wage-Hour Developments
  3. Your “Top Ten” Cybersecurity Vulnerabilities
  4. 2017: The Year of the Comprehensive Paid Leave Laws
  5. Efforts Continue to Strengthen Equal Pay Laws in 2017

Read the full Take 5 online or download the PDF.

Our colleague Steven M. Swirsky at Epstein Becker Green has a post on the Management Memo blog that will be of interest to our readers: “NLRB Reverses Key Rulings: Returns to Pre-Obama Board Test for Deciding Joint-Employer Status and for Determining Whether Handbooks, Rules and Policies Violate the NLRA – Assessment of 2014 Expedited Election Rules and Future Changes Also Announced.”

Following is an excerpt:

It should come as no surprise that recent days have seen a stream of significant decisions and other actions from the National Labor Relations Board as Board Chairman Philip A. Miscimarra’s term moves towards its December 16, 2017 conclusion.  Chairman Miscimarra, while he was in a minority of Republican appointees from his confirmation during July 2013 and as a new majority has taken shape with the confirmation of Members Marvin Kaplan and William Emanuel, has clearly and consistently explained why he disagreed with the actions of the Obama Board in a range of areas, including the 2015 adoption of a much relaxed standard for determining joint-employer status in Browning-Ferris Industries, the standard adopted in Lutheran Heritage Village for determining whether a work rule or policy, whether in a handbook or elsewhere would be found to unlawfully interfere with employees’ rights under Section 7 of the National Labor Relations Act to engage concerted action with respect to their terms and conditions of employment, and his disagreement with the expedited election rules that the Board adopted through amendments to the Board’s election rules. …

In Hy-Brand Industrial Contractors Ltd. and Brandt Construction Co., decided on December 14, 2017, in a 34-2 decision, the Board has discarded the standard adopted in Browning-Ferris, and announced that it was returning to the previous standard and test for determining joint-employer status and returning to its earlier “direct and  immediate control standard.”  …

In The Boeing Company, also decided on December 14, 2017, the Board adopted new standards for determining whether “facially neutral workplace rules, policies and employee handbook standards unlawfully interfere with the exercise” of employees rights protected by the NLRA. …

Noting that the 2014 Election Rules were adopted over the dissent of Chairman Miscimarra and then Member Harry Johnson, and the fact that these rules have now been effect for more than two years, on December 14th, the Board, over the dissents of Members Mark Pearce and Lauren McFerren, both of who were appointed by President Obama, published a Request for Information, seeking comment …

Read the full post here.

When deliberations began regarding the first tax reform legislation in over thirty years, many raised concerns that tax reform measures would adversely affect retirement savings programs such as the 401(k) plan.  Now, as the tax reform proposals have become further vetted, the 401(k) approach to pre-tax retirement savings appears to remain intact and may actually survive “Rothification”.  The IRS also recently increased the 401(k) pre-tax savings contribution limit to $18,500 for 2018.  Despite the confirmed importance of retirement savings vehicles such as the 401(k) Plan, many eligible participants for these employer-sponsored programs do not enroll in the plans, fail to contribute as much as they could, or do not fully understand how to maximize their benefits or select their investment options.  Multigenerational employees also have different financial needs and perceptions, and receive communications differently.   Plan sponsors should take this opportunity, as passage of tax reform legislation appears imminent, to provide eligible employees and participants with an enhanced communications program touting the benefits of 401(k) plan participation.

What Enhancements Can be Made to Existing 401(k) Plan Communications?

As plan sponsors know, certain plan communications are required and are already provided to plan participants through specific channels such as direct mail or e-delivery.   These materials include summary plan descriptions, summary annual reports, and participant fee disclosures.  In addition, there may be safe harbor notices, 404(c) plan disclosures, automatic contribution notices, qualified default investment alternative notices, fund change notices, blackout notices, and perhaps even investment education or advice materials distributed to participants.  A re-occurring debate is that participants do not read, understand, or cannot even locate all of these materials.  Plan sponsors might be well-served by considering the following when enhancing their otherwise required communications:

  • Incorporate tools into a traditional communications program such as mobile applications that can deliver understandable information to those on-the-go, in short snippets, regarding the benefits of plan participation
  • Issue periodic email, text message or other digital/social media reminders regarding increasing savings rates during the year and how a percentage increase can impact retirement savings over time
  • Offer online short videos or podcasts (5 to 15 minutes) that explain 401(k) features and benefits in digestible segments
  • Provide generic plan enrollment assistance either through on-site meetings, video-conference or on-line software
  • Strategically time the issuance of communications well before the due date of a summary of material modification that will allow participants to fully maximize the benefit of a plan design change
  • Connect the messaging with relevant events (such as passage of new legislation; a corporate acquisition)
  • Consider a financial wellness program that can educate employees regarding their whole financial picture, including managing debt and how to allocate available compensation to employer-provided benefit programs

The foregoing suggestions are a starting point and should be tailored to the organization’s needs and employee demographics.  The idea is to develop a strategy that supplements the required communications, and does so in a brief and engaging manner without contradicting plan terms.  The messaging can also refer the employees back to the longer, required communications and documentation which might be located on a company intranet for easy access.  Further, these types of communications do not need to be personalized and should not include personally identifiable information, unless the mechanisms are fully compliant with cybersecurity policies including password protection and encryption.  Also, these particular communications should avoid being fiduciary or advice-oriented in nature.  Instead, the goal is to highlight, and educate employees regarding, the important plan benefits and encourage them to participate in a language they understand.  This approach can also be duplicated for other types of employee benefits (i.e., the ones that survive tax reform).