The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens).

Who must comply? The GDPR applies to any company that has personal information of EU residents or citizens or that conducts business in the EU, regardless of its home country.

What is the risk of non-compliance? The GDPR mandates documented compliance. The regulations provide for substantial fines of up to €20 million or 4 percent of global revenues for noncompliance. Willful non-compliance is most heavily fined under this tiered system.

How far along are most companies as to compliance? The consulting firm Gartner estimates that more than half of the companies that are subject to the GDPR will not be in compliance throughout this year. They will be at risk.

Who will adopt the regulations? All 28 EU members, plus Iceland, Norway, and Liechtenstein (collectively known as the “European Economic Area”), and likely the United Kingdom, will adopt the regulations.

Will the regulations be enforced extraterritorially? The GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents (again, not just citizens).

How is “personal data” defined? The definition includes any information as to a human being (called a “data subject”) that can directly or indirectly identify him or her, including, but not limited to, names; birthdates; physical addresses; email and IP addresses; and health, biometric, and demographic information.

What constitutes compliance? In general terms, a subject company must limit the use of the retained personal data and maintain it securely.

  • Explicit consent is required for each processing activity as to any covered datum.
  • Access, free of charge, must be afforded to any data subject on request to a “data controller” (a person at the company charged with maintaining data), who, in turn, must assure that any “data processor” (any person or company that takes data from consumers and manipulates or uses it in some way to then pass along information to a third party) is compliant as to the requested action.
  • Data subjects have the right to be “forgotten, i.e., to have their data expunged, and may revoke consent at will.

What does the GDPR require if there is a data breach? Data breaches that “may” pose a risk to individuals must be notified officially within 72 hours and to affected persons without undue delay.

This, of course, is only an outline of GDPR requirements and procedures. Any specific advice only can be provided knowing an individual company’s circumstances and needs. One does note that, as is the case in other regards, for example, antitrust, the assumptions prevalent within the EU are decidedly different from those in the United States. As a number of commentators have observed, while there is no defined “right of privacy” in the United States, a company is required to preserve information, including PII and personal health information, or PHI, in the event of litigation. In Europe, which has very limited litigation discovery, there is a defined right of privacy and individuals can cause data describing them to be erased (“forgotten”).

Many of you know also that there is a case pending a decision in the Supreme Court of the United States involving whether the U.S. government can compel Microsoft to produce PII that is collected and stored outside of the United States. An affirmative decision might create a conflict of law that will complicate the data retention abilities of American companies doing business overseas. So stay tuned.

Our colleague Daniel R. Levy, at Epstein Becker Green, has a post on the Trade Secrets & Employee Mobility blog that will be of interest to our readers: “It’s a Brave New World: Protecting Trade Secrets When Traveling Abroad with Electronic Devices.

Following is an excerpt:

Consider the following scenario: your organization holds an annual meeting with all Research & Development employees for the purpose of having an open discussion between thought leaders and R&D regarding product-development capabilities. This year’s meeting is scheduled outside the United States and next year’s will be within the U.S. with all non-U.S. R&D employees traveling into the U.S. to attend. For each meeting, your employees may be subject to a search of their electronic devices, including any laptop that may contain your company’s trade secrets. Pursuant to a new directive issued in January 2018 by the U.S. Custom and Border Protection (“CBP”), the electronic devices of all individuals, including U.S. citizens and U.S. residents, may be subject to search upon entry into (or leaving) the U.S. by the CBP. …

Read the full post here.

Our colleagues , at Epstein Becker Green, have a post on the Wage and Hour Defense Blog that will be of interest to many of our readers in the technology industry: “Labor Issues in the Gig Economy: Federal Court Concludes That GrubHub Delivery Drivers are Independent Contractors under California Law.”

Following is an excerpt:

Recently, a number of proposed class and collective action lawsuits have been filed on behalf of so-called “gig economy” workers, alleging that such workers have been misclassified as independent contractors. How these workers are classified is critical not only for workers seeking wage, injury and discrimination protections only available to employees, but also to employers desiring to avoid legal risks and costs conferred by employee status.  While a number of cases have been tried regarding other types of independent contractor arrangements (e.g., taxi drivers, insurance agents, etc.), few, if any, of these types of cases have made it through a trial on the merits – until now.

In Lawson v. GrubHub, Inc., the plaintiff, Raef Lawson, a GrubHub restaurant delivery driver, alleged that GrubHub misclassified him as an independent contractor in violation of California’s minimum wage, overtime, and expense reimbursement laws.  In September and October 2017, Lawson tried his claims before a federal magistrate judge in San Francisco.  After considering the evidence and the relevant law, on February 8, 2018, the magistrate judge found that, while some factors weighed in favor of concluding that Lawson was an employee of GrubHub, the balance of factors weighed against an employment relationship, concluding that he was an independent contractor. …

Read the full post here.

On January 30, in New York City, our colleague Michelle Capezza of Epstein Becker Green will be a panelist at the “2018 Technology Economic & Financial Outlook,” hosted by the New Jersey Tech Council (NJTC).

From the “internet of things,” to the cloud, to autonomous cars, there is not a single industry segment that has not leveraged technology to develop better products and services for the benefit of their customers as well as their stakeholders.  As technology makes the world smaller, it also opens up endless opportunities for creativity and innovation. The panel will discuss the impact that technology will have in 2018 on the regional, domestic, and global economic and financial environment.

For more information, visit

Steven R. Blackburn, Member of the Firm in the Employment, Labor & Workforce Management practice will co-present a Practising Law Institute in-person event and webcast on January 25, 2018 at 10:00 a.m. PST titled “Tech Sector Employment Law Hot Topics for the California Lawyer.

This event will address current California employment law issues, with the added focus of how the latest, state-specific legal developments impact the tech sector, in particular.

Steven R. Blackburn’s program is titled, “Sexual Harassment in the Tech Sector – Employer Duties, Investigations and Managing Claims,” and will address the following:

  • Employer, board and fiduciary duties in a harassment claim
  • Avoiding common pitfalls when investigating harassment
  • Assessing risk vulnerability to high level employees
  • Recent wave of sexual harassment revelations – what makes this time different?
  • Social media’s role in exposing sexual harassment, it’s impact in how investigations are managed

MCLE credit is available for participating in the program.

For more information and to register for this webcast, click here.

As 2017 comes to a close, recent headlines have underscored the importance of compliance and training. In this Take 5, we review major workforce management issues in 2017, and their impact, and offer critical actions that employers should consider to minimize exposure:

  1. Addressing Workplace Sexual Harassment in the Wake of #MeToo
  2. A Busy 2017 Sets the Stage for Further Wage-Hour Developments
  3. Your “Top Ten” Cybersecurity Vulnerabilities
  4. 2017: The Year of the Comprehensive Paid Leave Laws
  5. Efforts Continue to Strengthen Equal Pay Laws in 2017

Read the full Take 5 online or download the PDF.

Our colleagues , at Epstein Becker Green, have a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the health care industry: “Proposed Federal Bill Would Pre-Empt State and Local Paid Sick Leave Laws.”

Following is an excerpt:

On November 2, 2017, three Republican Representatives, Mimi Walters (R-CA), Elise Stefanik (R-NY), and Cathy McMorris Rodgers (R-WA), introduced a federal paid leave bill that would give employers the option of providing their employees a minimum number of paid leave hours per year and instituting a flexible workplace arrangement. The bill would amend the Employee Retirement Income Security Act (“ERISA”) and use the statute’s existing pre-emption mechanism to offer employers a safe harbor from the hodgepodge of state and local paid sick leave laws. Currently eight states and more than 30 local jurisdictions have passed paid sick leave laws.

The minimum amount of paid leave employers would be required to provide depends on the employer’s size and employee’s tenure. The bill does not address whether an employer’s size is determined by its entire workforce or the number of employees in a given location. …

Read the full post here.

In a recent update to the IRS’ Questions and Answers on Employer Shared Responsibility Provisions under the Affordable Care Act, the IRS has advised that it plans to issue Letter 226J informing applicable large employers (ALEs) of their potential liability for an employer shared responsibility payment for the 2015 calendar year, if any, sometime in late 2017.  The IRS plans to issue Letter 226J to an ALE if it determines that, for at least one month in the year, one or more of the ALE’s full-time employees was enrolled in a qualified health plan for which a premium tax credit (PTC) was allowed (and the ALE did not qualify for an affordability safe harbor or other relief for the employee). The IRS will determine whether an employer may be liable for an employer shared responsibility payment, and the amount of the potential payment, based on information reported to the IRS on Forms 1094-C and 1095-C and information about the ALEs full-time employees that were allowed the premium tax credit.

In my blog last year “ACA Information Reporting: Ensuring Big Data Analyses Do Not Lead to Big Penalties,” the terms of a Letter 226J were still unclear, yet the imperative to establish an approach for reviewing and responding to these types of letters was forewarned.  If an ALE receives a Letter 226J from the IRS, the employer will have only 30 days from the date of the letter to dispute liability for a penalty payment.  With the holiday season and other year-end deadlines, preparing a response with sufficient detail will undoubtedly become a daunting task.  As provided on the model Letter 226J, employers that wish to dispute the liability assessment will need to:

  • Complete, sign, and date a Form 14764, Employer Shared Responsibility Payment (ESRP) Response, and send it to the IRS by the due date along with a signed statement explaining why the employer disagrees with part or all of the proposed ESRP,
  • Ensure that the statement describes changes, if any, the employer wants to make to the information reported on Form(s) 1094-C or Forms 1095-C,
  • Make changes, if any, on the Employee PTC Listing using the indicator codes in the Instructions for Forms 1094-C and 1095-C for the tax year shown on the first page of this letter,
  • Include the revised Employee PTC Listing, if necessary, and any additional documentation supporting the employer’s changes with the Form 14764, ESRP Response, and signed statement.

If the ALE responds to Letter 226J, the IRS will acknowledge the ALE’s response to Letter 226J with an appropriate version of Letter 227 (a series of five different letters that, in general, acknowledge the ALE’s response to Letter 226J and describe further actions the ALE may need to take).  If, after receipt of Letter 227, the ALE disagrees with the proposed or revised employer shared responsibility payment, the ALE may request a pre-assessment conference with the IRS Office of Appeals.  The ALE should follow the instructions provided in Letter 227 and Publication 5, Your Appeal Rights and How To Prepare a Protest if You Don’t Agree, for requesting a conference with the IRS Office of Appeals.  A conference should be requested in writing by the response date shown on Letter 227, which generally will be 30 days from the date of Letter 227.

Now is the time to consider a self-audit of 1095-C reporting, as well as organization of documents that may be needed to prepare a response and/or appeal to the IRS. If the ALE does not respond to either Letter 226J or Letter 227, the IRS will assess the amount of the proposed employer shared responsibility payment and issue a notice and demand for payment, Notice CP 220J.

Our colleagues , at Epstein Becker Green, have a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the technology industry: “New Jersey’s Appellate Division Finds Part C of the “ABC” Independent Contractor Test Does Not Require an Independent Business

Following is an excerpt:

In a potentially significant decision following the New Jersey Supreme Court’s ruling in Hargrove v. Sleepy’s, LLC, 220 N.J. 289 (2015), a New Jersey appellate panel held, in Garden State Fireworks, Inc. v. New Jersey Department of Labor and Workforce Development (“Sleepy’s”), Docket No. A-1581-15T2, 2017 N.J. Super. Unpub. LEXIS 2468 (App. Div. Sept. 29, 2017), that part C of the “ABC” test does not require an individual to operate an independent business engaged in the same services as that provided to the putative employer to be considered an independent contractor. Rather, the key inquiry for part C of the “ABC” test is whether the worker will “join the ranks of the unemployed” when the business relationship ends. …

Read the full post here.

For the second time in as many years, California Governor Jerry Brown has vetoed “wage shaming” legislation that would have required employers with 500 or more employees to report gender-related pay gap statistics to the California Secretary of State on an annual basis beginning in 2019 for publication on a public website. Assembly Bill 1209 (“AB 1209”), which we discussed at length in last month’s Act Now advisory, passed the Legislature despite widespread criticism from employers and commerce groups.  This criticism included concerns that publication of statistical differences in the mean and median salaries of male and female employees without accounting for legitimate factors such as seniority, education, experience, and productivity could give a misleading impression that an employer had violated the law.  Opponents also decried the burden the bill would place on employers to do data collection and warned that it would lead to additional litigation.  In vetoing the measure, Governor Brown noted the “ambiguous wording” of the bill and stated he was “worried that this ambiguity could be exploited to encourage more litigation than pay equity.”

However, the same pen that vetoed AB 1209 signed another pay-equity law last week: Assembly Bill 168 (“AB 168”).  AB 168 precludes California employers from asking prospective employees about their salary history information.  “Salary history information” includes both compensation and benefits.  Like similar laws passed recently in several other states and cities, the policy underlying the inquiry ban is that reliance upon prior compensation perpetuates historic pay differentials.  Opponents have argued that such a ban will make it more difficult for employers to match job offers to market rates.  Go to our Act Now Advisory on AB 168 for a comprehensive review of this new law.