Class Action Waivers and the GDPR
Two landmark developments in employment and data privacy law.
Maier Law Group comes to you this month with two very important legal developments on opposites sides of the globe:
Class Action Waivers
On May 21, 2018, the U.S. Supreme Court ruled in the landmark case Epic Systems Corp. v. Lewis that companies can use arbitration clauses in employment contracts to prohibit employees from banding together to take legal action over workplace issues. In doing so, the Court determined that the Federal Arbitration Act’s policy favoring enforcement of arbitration agreements trumps the National Labor Relations Act, which gives employees the right to join together for their “mutual aid and protection.”
This decision affirms an employer’s ability to compel its employees to arbitration and allows the employer to ask employees to waive their rights to take collective action where the employees have agreed to do so in their employment agreements.
Prior to this historic decision, the enforceability of employment arbitration agreements, especially those with class action waivers, was widely debated. Many courts found such waivers unenforceable, leading companies to forego using these tools to deter their employees from filing class actions to resolve workplace disputes, such as those involving wage and hour claims.
Given the significant financial risk associated with defending class actions, even where they are ultimately found unmeritorious, Maier Law Group strongly encourages its clients to either implement an arbitration agreement with a class action waiver, or amend their existing arbitration agreements to include a clause that requires employees to waive their right to a class or collective action.
The EU’s General Data Protection Regulation (GDPR)
The long-awaited General Data Protection Regulation (GDPR) goes into effect today, May 25, 2018. Why is everyone you know in a state of panic over this law? Let us back up a bit and give you some context.
The GDPR was passed two years ago by the European Parliament to create a harmonized data privacy law across member states of the European Union (EU) and to replace the EU’s privacy directive (which allowed different EU countries to have vastly different laws on privacy, creating a decentralized privacy regime with inconsistent enforcement). The advent of the GDPR means one uniform and very strict data privacy law across all of Europe that will also impact companies outside of Europe, even if they do little business with the region. In fact, the GDPR is sometimes criticized as the EU’s attempt to export its privacy regime to the rest of the world because it brings so many entities worldwide under its domain. For example, a number of US companies who occasionally send a handful of emails to businesses or people in the EU have asked if they need to comply.
The answer is, of course, that it depends.
Here’s what we recommend companies ask themselves to find out if they need to comply with GDPR:
- Does my company offer goods or services to people living in the EU?
- Does my company monitor the behavior of individuals located in the EU?
- Does my company have employees in the EU?
If 2 or 3 is a yes, you’re going to have to comply with the GDPR. If 1 is a yes, you’ll likely have to comply, but the key issue with all of these questions is: Does your company collect EU residents’ personal data (or process, store or transmit such data)? If it does, the GDPR requires you to comply with its terms by May 25, 2018.
So, what is considered personal data?
The answer is that it’s a very broad definition, thus one of the reasons for the law’s broad scope. For example, business contact information, such as a work email address, is considered personal data in the EU. That means that even if you just have a website that takes in some basic data of EU residents, you’ll technically have to comply with the GDPR.
So, to respond to the questions I’ve been getting about sending emails to EU-based individuals, if you’re collecting email addresses or send email to subscribers in the EU, you’ll have to comply with GDPR. If you have even a single employee in the EU, you’ll have to comply with the GDPR. If your company simply operates a website as part of its business that can take in information belonging to EU residents, you’ll have to comply with the GDPR. Hence the panic. Complying with the GDPR is no small feat.
In order to comply with the GDPR, you’ll have to develop a robust privacy program and likely map out all of your data, for starters. This process allows a company to get its arms around what data the company has, where its data security vulnerabilities lie, and what it has to do to bring itself in compliance with the new EU directive. Then you’ll need to start thinking about building good privacy practices into your products and systems (called “privacy by design”), you’ll need to start keeping records on your data processing activities, and you’ll need to be able to justify all your data processing based on a legitimate interest, to name just a few things GDPR requires.
In terms of email, you’ll only be able to send email to people who’ve opted-in to receive email messages from your company, with a few limited exceptions. Even sending an email asking for that consent violates the GDPR. However, note that this was already the case prior to the GDPR’s enactment. The GDPR only further specifies the nature of consent that’s required for commercial communication: it must be consent that is “freely given, specific, informed and unambiguous” to be compliant with GDPR. Canada also requires this, and like the GDPR, Canada’s anti-spam law has been hailed as ridiculously strict. In any case, both laws require that an email recipient take an affirmative action to indicate consent to receiving email, such as by checking a box, or sending an email requesting the email communications.
What happens if you don’t comply?
GDPR not only comes with stricter regulations around consent and the use of personal data, but also with higher-than-ever penalties for businesses that don’t comply. Fines can be as high as 20 million Euros or 4% of a brand’s total global annual revenue (whichever is higher).
That being said, it’s unclear at this point whom data protection authorities will go after in enforcement. Authorities won’t have the bandwidth to go after every company that’s not fully compliant with GDPR. They will rely heavily on consumers to report breaches, and will likely focus their efforts on the most serious violations. Still, the potential penalties are so steep that I do recommend that companies start taking actions now, if they haven’t already, to bring themselves into compliance. Such actions will also demonstrate a business’s privacy savvy, something that is becoming increasingly important to consumers, and subject to increasingly strict local laws as well. In short, the GDPR is a pain in the neck to comply with, but it protects companies as well as their clients in very important ways, and it can be used to generate trust between companies and their clients.
Authors: Diana Maier and Caitie Emmett.
The Maier Law Group helps companies ensure that their policies and practices comply with the relevant workplace regulations. We also offer advice and counsel on data privacy issues. Please contact us at email@example.com for more information.
This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.