To Protect and Serve: Privacy Concerns for Public EmployersDo public employees have private lives? In other words, just how much can a public employer base decisions on an employee’s off-duty conduct? The Ninth Circuit, in a recent opinion, disagreeing with both the Fifth and Tenth Circuits, has determined that the question still remains to be decided.

The Facts

In June 2012, Janelle Perez worked as a probationary police officer for the Roseville Police Department (RPD). A few months into her tenure, Perez and a fellow officer began an intimate relationship. At the time, both were separated but still married to their spouses. The coworker’s wife filed a citizen complaint alleging that inappropriate trysts had occurred while the officers were on duty. Internal Affairs investigated but found no evidence that Perez and her fellow officer had engaged in any on-duty sexual behavior.

Following the internal affairs investigation, RPD terminated her employment. Perez sued, alleging a number of claims, including constitutional violations of her rights to privacy and intimate association under the First, Fourth, and 14th Amendments. Perez’s claim was that the RPD could not terminate her based on the fact that it disapproved of her private, off-duty sexual conduct. The district court awarded summary judgment to the RPD and the individual defendants, finding that they were shielded by qualified immunity because Perez failed to establish a constitutional right to intimacy with her coworker. Perez appealed.

The Ninth Circuit reversed and remanded on the issue of privacy. The panel reiterated its prior holdings that the constitutional guarantees of privacy and free association bar the state from taking adverse employment actions based on private sexual conduct, unless the state can show that the behavior has a negative effect on job performance or violates a constitutionally permissible, narrowly tailored regulation. Ultimately, the panel decided that there existed a genuine factual dispute as to whether the RPD terminated Perez at least partially due to her extramarital affair. (Apparently there was some inconsistency among her superiors as to the basis for her discharge.)

Specifically, the panel pointed to Thorne v. City of El Segundowhich preserved a public employee’s privacy rights where termination was linked, in part, to private, off-duty sexual conduct. The Ninth Circuit found that in Perez’s case, as in Thorne, the RPD could not produce any evidence that the affair had an adverse impact on job performance, nor that any improper behavior occurred while Perez was on duty.

The Road Not Taken…

The Ninth Circuit explicitly rejected the approaches taken by the Fifth Circuit—the wife-swapping case—and the Tenth Circuit—another extramarital affair case. The court explained that the Fifth and Tenth Circuits both misinterpreted the Supreme Court’s Lawrence v. Texas, a decision on the right of sexual autonomy. The Ninth Circuit reasoned that Lawrence recognized the import of intimate sexual conduct within the canon of substantive liberties preserved by the Due Process Clause. Further, Lawrence made it clear that non-traditional was not tantamount to immoral.

Overarching Privacy Concerns

Notably, the Fourth and 14th Amendments’ protections of privacy are not applicable to private employers. Government and other public employees enjoy a constitutionally protected, “reasonable expectation” of privacy that their private counterparts do not. However, Perez, Thorne, and the flux of privacy cases broiling amongst the judicial circuits should still present concerns to private employers. Again, the Fourth and 14th Amendments certainly don’t apply in the private context, but there are still common law privacy interests that all employers should be wary of (i.e., intrusion upon seclusion and public disclosure of private facts).

Claims alleging violations of privacy are complex; they require case-by-case evaluations of a myriad of factors from the physical environment of the workplace, to employer policies, to employee conduct and knowledge. Notwithstanding, the takeaway from Perez is that expectations of privacy can be both tenuous and undefined. Nevertheless, there are still ways to insulate your company from potential claims:

  1. Establish a clear written policy. Whether you’re addressing workplace technology or fraternization amongst employees, develop a comprehensive policy that sets out your expectations. Figure out what private conduct could impact your business and address that conduct. By providing notice on the front-end, it becomes noticeably easier to combat employee expectations of privacy in areas that have been clearly addressed.
  2. Reinforce your policies. Acquiescence is one of the many ways that employer policies can be undermined. Reinforce policies through periodic restatements, warnings, and, if necessary, discipline.
  3. Confirm employee understanding of policies. When you first hire an employee or when you’re conducting an annual review, make it a point to have employees take time to read the policy and sign an acknowledgment form, outlining that they received it, read it, understand it, and consent to be governed by it.

The contours of privacy, and what employees can reasonably expect to be unassailable realms of their lives, are changing daily. Perez is yet another indicator that employers—both public and private—must be cautious, especially when considering off-the-job conduct in making job-related decisions.

If you have employees or are doing business with individuals in the European Union, on May 25, 2018, you will be subject to some new regulations. The General Data Protection Regulation (GDPR) sets a new, heightened standard for data collection of citizens in EU countries, and many companies inside and outside of Europe will need to ensure that their systems and processes comply with a data protection statute that will be among the strictest in the world. There are specific provisions that apply to employee data.

The Basics

The GDPR applies to all companies processing and/or holding the personal data of data subjects residing in the EU, regardless of where the company is physically located. Even companies without an EU presence will be subject to the new rules whenever: (1) an EU resident’s personal data is processed in connection with good/services offered to him/her; or (2) the behavior of individuals within the EU is “monitored.” Additionally, violations of the GDPR could result in fines of up to 4 percent of a company’s annual global turnover or almost $25 million (20 million euros), whichever is greater.

Dealing with Your EU Employees’ Data

A key element of the GDPR is its heightened requirements for consent by employees for the processing of their personal data. Under the GDPR generally, consent must be freely given, specific, informed, unambiguous, and revocable. The GDPR, however, also acknowledges the limits of consent in situations where it cannot be freely given.

Article 29 of the Data Protection Working Party, an advisory body of representatives from the data protection authority of each EU Member State, outlines guidance on consent under the GDPR. These guidelines specifically acknowledge that an imbalance of power exists between an employer and an employee. Unlike consumers and customers who can provide voluntary consent for data processing, an employee will be unlikely to feel free to deny consent to data processing without fear of reprisal. For example, an employee may not feel free to refuse to fill out an assessment form or to refuse to consent to camera monitoring in the workplace when it could result in his or her termination.

Despite this imbalance of power, Article 29 acknowledges that there may be certain situations where an employee can freely consent. These exceptional circumstances can occur only when the employee is able to refuse consent with no fear of adverse consequences. As an example, Article 29 outlines a scenario where a film crew needs to film in certain office spaces. The employer requests consent from the employees sitting in that area to be filmed. If the employees who do not wish to be filmed suffer no consequences and are permitted to work in another part of the building during the filming period—that would be acceptable consent.

If consent in the employment context can be used only in exceptional circumstances, employers must find another legal basis to process their employees’ data. These additional legal bases include processing employee data when: (1) required for the performance of an employment contract, (2) required by law, or (3) furthering an employer’s legitimate interest. Furthering an employer’s legitimate interest requires the employer to perform a privacy impact assessment – balancing its legitimate interest with the employee’s privacy rights and documenting that the legitimate interest outweighs the employee’s privacy rights.

Next Steps

If you are going to be subject to the GDPR, you should review your employee documents (such as employment contracts or any permissions for data processing) to ensure they do not depend on the employee’s consent. For current employees, you may wish to provide new data processing notices outlining the additional legal bases for data processing. For new hires, you may wish to provide updated employment contracts and other documentation that outline the additional legal basis for data processing identified above. Employers should remain alert that under the GDPR consent alone may be insufficient for data processing in the employer/employee context.

Putting a Finger on a Problem? Employees Challenge Biometric Scanners as Violating PrivacyEmployers, if you have ever wondered how much security is too much, there may be an answer coming sooner than you think. In a recently filed complaint, Martin Ragsdale, an employee of the Paramount of Oak Park Rehabilitation & Nursing Center, alleged that the company’s use of biometric data violated his and his coworkers’ individual privacy rights under the Illinois Biometric Information Privacy Act (BIPA).

Paramount requires employees to scan a fingerprint to clock in and out, to confirm identity, and as a security measure. The company believed that the new system would help eliminate common forms of timekeeping fraud and produce a more streamlined operation. Little did they know that what saved them money on the front end may now end up costing them far more on the back end of this litigation.

The Legal Issues

In the complaint, Ragsdale emphasizes the invariable nature of biometric identifiers, explaining that personally identifiable information (PII) such as Social Security numbers can be changed, whereas biometrics—fingerprints, DNA, eye scans—are “biologically unique” and unchangeable. He argues that the BIPA requires organizations to go through a series of steps that involve communication with individuals and getting their consent to use their biometrics before collecting and storing their biometric data. Further, Ragsdale argues that the BIPA mandates that entities collecting biometric data make their data retention and deletion policies publicly available.

Ragsdale’s complaint asserts that Paramount collected biometric data without notifying the employees that it intended to do so, without obtaining consents after the practice was established and without publishing the requisite data storage and deletion policy as required by the BIPA. He further alleges that each time Paramount transmitted the biometric data to third-party and out-of-state vendors a violation of the BIPA occurred.

As of yet, Paramount has not filed its response to the complaint. However, the stakes are potentially high. Each “willful and/or reckless” violation of the BIPA is worth $5,000, and each “negligent” violation is worth $1,000.

This is not an issue limited to Illinois. Although only three states (Illinois, Washington and Texas) have laws specifically targeting the collection of biometric data, there are bills currently pending in Alaska, Connecticut, Massachusetts, and New Hampshire. According to the National Conference of State Legislatures, 48 states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted some form of privacy laws to safeguard the collection of personal information. To date, Alabama and South Dakota are the only two states with no similar security laws.

So What Does This Mean for Employers?

If you are considering using a practice that involves the use of PII, biometrics, or any other potentially sensitive information, you should check your state’s laws to see what hoops you need to jump through. If you have already adopted such a practice, check to be sure you complied with the applicable privacy legislation. While your state may not have a law addressing biometrics, the collection and storage of PII may still be addressed in other rules and regulations. Next, you should make sure that your current practices are in line with the statutory requirements, and if they are not, you should find the most expedient way to fix them. And last but certainly not least, as an employer, you should re-evaluate your current level of transparency with your employees.

An ounce of prevention is worth a pound of cure. While the implementation of new technology boasts of improved and more secured operations, employers would do well to remember that with great cybersecurity comes even greater responsibility. Guard your employees’ biometric data now or run the risk of having to pay for it later.