Other Observations

Filter Countries

China: Proposition to Speed up Legislation on Personal Information Protection Was Made to the Highest Legislative Body

With the development of big data industry, personal information leakage is on the rise. More and more multinationals start to be interested in compliance with local regulation on personal information. However, China has not specifically legislated on personal information protection, but only has some relevant provisions, standards and methods mentioned in some guidelines and legal documents with relatively lower authority. The National People’s Congress Conference and the Chinese People’s Political Consultative Conference (collectively the “Two Conferences”) have been summoned and upheld from March 5 to March 20. During this year’s Two Conferences, several National People’s Conference representatives and Chinese People’s Political Consultative Conference members proposed to speed up legislation on personal information protection to specify the basic principles and norms for the collection, utilization and processing of personal information, clarify the civil and criminal liability for misuse of personal information, and to provide remedial channels and procedures for personal information protection.

For more information on these articles or any other issues involving labour and employment matters in China, please contact Carol Zhu, Partner at Zhong Lun Law Firm (www.zhonglun.com) at carol.zhu@zhonglun.com

Canada: Ontario Government Proclaims Significant Amendments Regarding Workplace Safety and Insurance Costs and Penalties for Clients of Temporary Help Agencies

On April 6, 2018, the Ontario government proclaimed Schedule 5 of Bill 18 (also known as the Stronger Workplaces for a Stronger Economy Act, 2014, S.O. 2014, c. 10). Schedule 5 to Bill 18 will enable Ontario’s Lieutenant Governor in Council to make regulations that could potentially revolutionize the way workplace safety and insurance costs are allocated as between temporary help agencies and their clients.

Pursuant to Schedule 5, such regulations could require that, if a temporary help agency lends or hires out the services of a worker to certain employers and the worker sustains an injury while performing work for the other employer, the Workplace Safety and Insurance Board (WSIB) would, amongst other things:

  • Deem the total wages that are paid in the current year to the worker by the temporary help agency for work performed for the client to be paid by the client;
  • Attribute the injury and the accident costs arising from the injury to the client;
  • Increase or decrease the amount of the client’s WSIB premiums based upon the frequency of work injuries or the accident costs or both;
  • Require that, if a temporary help agency lends or hires out the services of a worker to certain clients and the worker sustains an injury while performing work for those clients, the client notify the WSIB of the injury; and
  • Prescribe penalties for failure to comply with certain aspects of these regulations.

If you are unsure as to whether or how the coming into force of Bill 18’s amendments to workplace safety and insurance legislation might affect your business operations in Ontario, it would be prudent to seek the advice of a labour and employment lawyer.

For more information on these articles or any other issues involving labour and employment matters in Canada, please contact Robert Bayne, Partner at Filion Wakely Thorup Angeletti (www.filion.on.ca) at rbayne@filion.on.ca

Belgium: New notice periods coming up

The new notice periods will apply in case of dismissal by the employer during the first 6 months of employment.

You can find the new notice periods in the table below:

Nothing changes for the notice periods in case of resignation by the employee.

For more information on these articles or any other issues involving labour and employment matters in Belgium, please contact Chris Van Olmen, Partner at Van Olmen & Wynant (www.vow.be) at chris.van.olmen@vow.be

Does the GDPR Apply to Your US-based Company?

If you’ve been following the headlines, you know that a day doesn’t pass without a reference to the “GDPR”. On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will take effect, marking the most significant change to European data privacy and security in over 20 years. Most multinational companies, and of course EU-based companies should be in the process of ensuring GDPR compliance by May 2018. But what about if you are a US-based company with no direct operations in the EU? Do you think you are free of the GDPR’s reach? Think again!

In short, the GDPR aims to protect the “personal data” of EU citizens – including how the data is collected, stored, processed and destroyed. The meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the U.S. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.

Territorial Scope 

A major change made by the GDPR is the territorial scope of the new law. The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.

Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed.  This is the case where the processing relates to the offering of good or services or the monitoring of behavior that takes place in the EU.

Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR.  That said, general global marketing does not usually apply. If you use Google Adwords and a French resident stumbles upon your webpage, the GDPR likely would not apply to the company solely on that basis. If, however, your website pursues EU residents – accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company. Likewise, if your company is engaged in monitoring the behavior of EU residents (e.g. tracking and collecting information about EU users to predict their online behavior), the GDPR likely will apply to your company.

US-based companies with no physical presence in the EU, but in industries such as e-commerce, logistics, software services, travel and hospitality with business in the EU should already be in the process of ensuring GDPR compliance. However, all US-based companies, especially those with a strong Internet presence, should assess whether their business activity falls within the territorial scope of the GDPR.

Consequences of Non-Compliance

The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.

report by Gartner predicted that more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018. Considering that one of the main objectives of the GDPR was to expand the territorial scope, companies based outside the EU should not be surprised to find that they are a particular target of data regulators.

Don’t let your company become next year’s headline! This article kicks off our GDPR series that will help your company navigate the key aspects of the regulation. Efforts toward compliance need to begin now.

For more information on these articles or any other issues involving labour and employment matters in United States, please contact John Sander, Principal at Jackson Lewis P.C. (www.jacksonlewis.com) at John.sander@jacksonLewis.com

U.S. Employers with EU Employees Gearing Up for the GDPR

With the continuing parade of high profile data security breaches, the concern U.S. organizations have about the security of their systems and data has been steadily growing. And rightly so. Almost every organization processes (collects, uses, stores, or transmits) individually identifiable data. Much of this data is personal data, including employee data, which brings heightened privacy and security responsibilities and obligations.

For certain entities, these responsibilities and obligations are about to increase significantly. On May 25, 2018, the EU General Data Protection Regulation (GDPR) goes into effect. This is a game changer for those organizations subject to the jurisdiction of the GDPR, and not just because of its new data breach notification provision. The GDPR contains expanded provisions for data collection, retention, and access rights unlike those they are used to in the U.S. that will create substantial challenges for U.S. employers processing their EU employee data.

To effectively meet these challenges, U.S. employers need to take stock of the data they process concerning individuals relating to EU operations (and not just about employees, although that is our focus here). What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts. And, it may be processed in the cloud, the U.S., or elsewhere outside the EU.

Starting with the source of EU employee data, the U.S. employer should review its connections with the EU. Does it have a EU branch or office, a subsidiary or affiliate? An EU franchise, agent, or representative? Has it recently merged or acquired an organization with EU locations or connections? Any one of these connections is a potential source of EU employee or comparable internal personal data, regardless of how small.

Next, how does the U.S. employer process its EU employee or internal personal data? This data can be processed in traditional contexts – HRIS, benefits, payroll, Active Directory or contact information, and recruitment or talent management. It can be processed in other contexts – Customer Relationship Management, software applications, IT maintenance and security review activity, surveillance images, remote log in, business-related travel and event attendance support, professional development, training and certification, and external facing websites simulating annual reports or collecting job applications. Even if the U.S. employer outsources payroll, benefits administration, or HR, it may still process EU employee or internal personal data in other contexts.

For a specific example of employee data processing, consider the internal facing website or employee that facilitates business travel or conference registration. This service collects the EU employee’s personal data in the form of name, address, phone number, work title and work address. However, it may also collect the EU employee’s special hotel and dining accommodations needs. This additional information may reveal health, disability, or religious beliefs information about the EU employee, all of which are subject to heightened protections. In another example, the organization’s training portal may use video presentations featuring internal trainers. These videos contain employee personal data – the trainer’s photo and, perhaps, work contact information. Locating and identifying all forms of EU employee data processing is critical.  However, knowing what actually constitutes EU employee personal data is key.

Identifying employee personal data in the context of the GDPR is challenging. The GDPR definition, especially when applied to an EU employee, can be expansive. And for U.S. employers, often surprising. EU employee personal data includes “any information relating to an identified or identifiable” EU employee. Identifiable simply means the employee can be “identified directly or indirectly… by reference to an identifier… or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This may include name, address, driver’s license number, date of birth, passport number, vehicle registration plate number, phone number, photos, email address, id card, workplace or school, and financial account numbers. With respect to employees, it may also encompass – gender, personnel reports (including objective and subjective statements), recruitment data, job title and position, work address and phone number, salary information, health and sickness records, monitoring and appraisals, criminal records, rent, retirement or severance data, and online identifiers such as dynamic IP addresses, metadata, social media accounts and posts, cookie identifiers, radio frequency tags, location data, mobile device IDs, web traffic surveillance that identifies the machine and its user, and CCTV images.  ‘Special categories’ of employee data – racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data – require heightened levels of protection under the GDPR. Given the broad interpretation of personal data under the GDPR, a determination of what constitutes employee personal information is often based on relevant facts and circumstances.

May 2018 is approaching quickly. The GDPR may bring new and enhanced obligations for U.S. employers. Significant among these is employee consent to processing personal data. With this in mind, employers should begin evaluating their organizations through the lens of employee data collection and processing, keeping in mind applicable national laws.

For more information on these articles or any other issues involving labour and employment matters in United States, please contact John Sander, Principal at Jackson Lewis P.C. (www.jacksonlewis.com) at John.sander@jacksonLewis.com

USA: Top 10 Privacy Developments for 2018

While the “Top 10 for 2018” list is by no means exhaustive, it provides key issues organizations should consider in 2018:

  1. Greater Focus on EU Data Protection Requirements

Many U.S. organizations mistakenly think the European Union’s data protection requirements do not apply to them. However, organizations that control or process the personal data of EU residents likely are subject to the General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. Therefore, U.S. companies that sell or market products over the internet to individuals in the EU, for example, should assess whether they must comply with the GDPR. The GDPR’s many privacy and security compliance requirements have undergone what is considered the greatest change to EU privacy and data security law in 20 years. Key changes include a 72-hour breach-reporting requirement, the “right to be forgotten,” heightened data-subject consent, and tougher fines and penalties.

While not all organizations in the U.S. will have GDPR-compliance requirements, many will and their executives and human resources, legal, and IT departments should be well-aware of their responsibilities (see our blog post, Does the GDPR Apply to Your US-based Company?). The HR department, for example, should be familiar with the provisions concerning human resources data, as well as those on employee monitoring and profiling or analytics activities (see our blog post, U.S. Employers with EU Employees Gearing Up for GDPR).

  1. Biometric Data – Emerging Law and Litigation

The trend for greater immersion of biometrics and other technologies, such as GPS, into business operations continues with no shortage of related legal issues. Over the last few years, for example, the Illinois Biometric Information Privacy Act (BIPA) produced many class action lawsuits on the collection, safeguarding, or retention of biometric information. Claims against employers surged during 2017. However, a state court decision may change the landscape for biometric lawsuits in 2018. For the first time, in Rosenbach v. Six Flags Entertainment Corp., an Illinois state court held that plaintiffs must claim actual harm, rather than simply a technical violation, to be considered an “aggrieved person” under the BIPA. Plaintiffs likely will continue to test legal arguments on whether an individual is an “aggrieved person” under the BIPA. Accordingly, companies that want to implement (or have implemented) technology using employee or customer biometric information (e.g., for timekeeping, physical security, validating transactions, or other purposes) should be prepared.

In addition, the surge of biometric class action suits, together with the growing use of biometric data and devices, appears to have inspired states to consider BIPA-like legislation. For example, in 2017, Alaska, Connecticut, Massachusetts, New Hampshire, and Washington have initiated or passed legislation to enhance protections for biometric information.

  1. Analytics in the Workplace – Privacy Vulnerabilities

The use of analytics in the workplace continues to grow. Whether to optimize marketing campaigns or measure sales, the sales, marketing, and financial fields have relied on analytics to make key business decisions. The use of analytics has moved to other business operations as well. Increasingly, organizations are using analytics for workspace optimization with in-office sensors to inform office design, supplies inventory, and lease renewals. Of course, employing analytics to improve hiring, placement, promotions, and termination decisions by analyzing interviews, quantifying individual performance, and evaluating how team dynamics and demographics affect results likely will be more widely adopted.

Organization are making more, better, and faster decisions with analytic tools. Their use raises concerns about discrimination and disparate impact, as well as questions on the handling of personal data — its source, maintaining privacy and confidentiality, and the security of data in the hands of the organization and its affiliates and vendors.

  1. Enhanced Connectivity – GPS plus IoT

No longer is GPS the only option for tracking employees, company equipment, and data. Combining GPS technology with “Internet of Things” (IoT) technology (i.e., the growing network of internet-enabled devices that communicate with one another), including wearables and automated assistants, and video and audio surveillance, employers can significantly boost their employee monitoring capabilities. Moreover, tracking tools are readily accessible on most digital devices, particularly smartphones, contributing to their increased use. Employers can monitor employee phone calls, work email, keystrokes, internet behavior, movements, log time, location, tone of voice, interaction with colleagues, and so on. These technologies likely improve efficiency, productivity, and safety, help ensure compliance with company policies, protect employer-owned property, and provide better customer service. However, such connectivity raises privacy and security concerns.

The fundamental conflict between employers’ right to monitor and employees’ right to privacy has sought clarification from the courts. More courts are addressing GPS tracking in the workplace (see our blog post, Employer Denied Access to GPS Data), and several states (e.g., California, Minnesota, Texas, and Tennessee) are limiting when and how GPS and related technologies can be utilized (see our blog post, GPS Tracking and Smartphone Apps – Get Consent!).

Consider a policy that includes notifying employees of any monitoring activities and other features related to the associated technology. For example, if a system also has audio and video surveillance capabilities or other functionalities (such as tracking speed, gas consumption, and driving behaviors), the organization should consider whether employees or other individuals in the vehicle should be on notice. When the tracking device should stop tracking the employee is another consideration.

  1. Ransomware and Phishing Attacks Continue

Ransomware. Ransomware erupted into a billion-dollar industry in 2016. Attacks increased in 2017 by up to 250-percent, according to some estimates, and damage costs estimated to top $5 billion. Forecasters anticipate these numbers to continue to rise in the coming years. Ransomware attacks are becoming more widespread — infiltrating companies globally and across multiple sectors. At the start of 2017, ransom payouts averaged approximately $15,000. Over the last few months, demands of $250,000 to $500,000 became a weekly occurrence, according to Kivu Consulting and Navigant Consulting, a third-party specialist that facilitates cryptocurrency payments and investigates perpetrators.

Accordingly to McAfee:

The profitability of traditional ransomware campaigns will continue to decline as vendor defenses, user education, and industry strategies improve to counter them. Attackers will adjust to target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses.

The 2017 “WannaCry” ransomware attack brought ransomware international attention. On May 12, 2017, some hospitals in the UK’s National Health Service reported being locked out of their computer systems until they complied with ransomware demands. The attack on 300,000 computers across 150 countries exploited a vulnerability in Microsoft’s file-sharing mechanism. Microsoft discovered the vulnerability and issued a patch weeks before, but companies affected had not installed the patch in time. The White House concluded that North Korea was responsible for the WannaCry attack. This is even more worrisome, as, unlike other cybercriminals, nation-states have economic and political backing.

In addition, while many organizations trust and rely on cloud service providers to store their data, believing, in part, that the providers can better safeguard their data, Computer Weekly recently reported the Massachusetts Institute of Technology’s prediction that cloud services may turn out to be ransomware’s favorite targets in 2018. For these reasons, organizations should continue to develop and refine their plans to be prepared to effectively respond to an attack.

Phishing Attacks. HR professionals can expect constant, surreptitious attacks from hackers seeking employee tax information, particularly Forms W-2, in January and February. Watch for spearfishing emails targeting HR and payroll personnel likely to have access to this information and who are apt to respond to requests from management for that information. Of course, the emails are not from management, but are artfully disguised as such. The results of successful attacks are that fraudulent tax returns are filed in employees’ names and employers must provide breach notifications to affected employees and, possibly, state agencies. Trust but verify. Employees should be advised to trust the source, but call to confirm the request verbally.

Phishing attacks also have spiked in the healthcare industry. Malware easily can be distributed with a link or infected attachment and delivered to healthcare employees by email. Hackers then can access a healthcare provider’s database containing hundreds, if not thousands, of patient records.

  1. Insider Threats

Ransomware, phishing, and other cyberattacks by external hackers often are the main focus of a cybersecurity plan. However, malicious insiders, such as disgruntled employees, with access to areas of the employer’s system external hackers cannot easily reach often result in the most costly data breaches. Examples of situations in which internal threats can arise include:

  1. An employee leaving a company and taking customer, patient, or client data that includes personal information. The information is used by the former employee or the former employee’s new company to solicit business from those individuals (see our blog post, Healthcare Worker Gives New Employer Patient Records, Old Employer Pays $15,000 to NY Attorney General for HIPAA Violation);
  2. Fearing of losing his or her job, an employee removes files with personal information about customers, patients, or clients in preparation for challenging the termination and related litigation; and
  3. A former employee hacks the payroll system to inflate his pay, accesses proprietary files, and hijacks the company website (see our blog post, Company Awarded Damages after Former Employee Hacks Its Systems and Hijacks Its Website).

More innocent, but equally concerning, are threats such as inadvertent loss of credentials due to clicking spam links with malicious viruses attached, losing a laptop, unknowingly bringing an infected device to work, sending sensitive files to the wrong address, and the like.

According to a 2017 Insider Threat Report by ipswitch, 53 percent of companies estimate remediation costs of at least $100,000, with 12 percent of companies estimating a cost of more than $1 million. The same report suggests that 74 percent of security breaches originate from within the extended global enterprise, including a current or former employee, contractor, or business partner with access to company data.

  1. Privacy and Data Breach Class Actions

In May 2016, the U.S. Supreme Court held in Spokeo v. Robins that plaintiffs must allege a tangible or intangible concrete injury to establish Article III standing to sue. This confused the lower courts. How are they to apply this standard in a range of data breach and statutory privacy class actions (such as under the Telephone Consumer Protection Act, Fair and Accurate Credit Transaction Act, and Video Privacy Protection Act)? Different standards have developed and, even within the same circuit, separate panels have reached conflicting conclusions. For example, paying for data security protections he did not receive was sufficient to confer standing on a customer, a panel in the U.S. Court of Appeals for the Eighth Circuit had ruled. However, a separate Eighth Circuit panel ruled the threat of future identity theft from a data breach was insufficient for standing.

The company in Spokeo has re-petitioned the U.S. Supreme Court to review the panel decision finding standing in its case. If the Court provides clarity on this issue in 2018, organizations can better navigate class action suits following a data breach or a statutory privacy violation.

  1. Data Breach Readiness

In 2017, a surge of massive data breaches affected more than one-half of the U.S. population. Cyberthreats in the coming year are expected to affect even more people, as hackers develop new attack methods (while IT departments charged with protecting a company’s sensitive information try to keep up). Many hope that advanced machine learning and artificial intelligence technologies can help organizations become better at detecting and remediating attacks. However, hackers also have access to these tools, and they will use them to strengthen their attacks to overcome organizations’ defenses. The battle will continue.

Companies of all sizes and in all industries are expanding their cybersecurity programs and incident response plans. It is important for cybersecurity programs to be flexible, improving and evolving with the shifting tactics of hackers.

 

  1. Increased Data Privacy and Security Legislation

Following massive data breaches in 2017, data privacy and security legislative proposals were introduced at the federal and state level. Senate Democrats introduced the Consumer Privacy Protection Act of 2017, geared toward protecting Americans’ personal information against cyberattacks and ensuring timely notification and protection when data is breached. Subsequently, three Democratic Senators introduced the Data Security and Breach Notification Act, which would require companies to report a breach within 30 days of becoming aware of it and any person may face a penalty of up to five years in prison for concealing a breach.

New York Attorney General Eric T. Schneiderman proposed the SHIELD Act, which would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information. Similar legislation have been proposed in Ohio and Vermont and are being contemplated in other states. State data breach notification laws also continue to develop. Maryland amended its Personal Information Protection Act to expand the definition of personal information, modify the definition of security breach, and provide a 45-day timeframe for notification, among other changes. New Mexico enacted the Data Breach Notification Act, becoming the 48th state with a data breach notification law.

  1. Vendor Management

Virtually all businesses interact with third-party vendors for a variety of reasons that involve all kinds of confidential company information. Increasingly, to derive efficiencies and control costs, vendors are linked directly to their customers’ information systems. Cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers, and other businesses utilize third-party vendors to provide an array of services. In the course of providing their services, vendors, like their clients, use technologies and devices (such as mobile devices, wireless networks, and flash drives) that pose risks to information they handle. Moreover, there may be legal obligations associated with a company’s use of vendors, such as requirements in third-party service provider contracts.

In certain states (including California, Illinois, Maryland, Massachusetts, Nevada, Oregon, and Texas), companies must obtain a written agreement with all third-party vendors handling personal information of state residents in order to provide services to the company. Similar requirements exist elsewhere. For instance, HIPAA imposes expansive requirements for any “business associate” or “subcontractor” that handles protected health information. The Payment Card Industry (PCI) standards have similar requirements, and law firms in many states (e.g., Maine, Missouri, New Jersey, New York, Oregon, Vermont, and Wisconsin) are subject to specific state ethical mandates to have written assurances from vendors handling client data. Finally, a company that must adhere to the looming EU GDPR will have to reassess its relationship with any third-party vendor that processes personal data. Vendor management should be part of an overall strategy to safeguard company and personal information.

 

Bonus: Be Vigilant and Watch for Changes

Organizations constantly should be assessing their privacy and data security risks and implementing policies and procedures to protect the personal information and data they maintain. This is particularly important as the law and industry guidance change and evolve to keep up with technological advancements. Organizations need to be vigilant to remain compliant and competitive.

For more information on these articles or any other issues involving labour and employment matters in United States, please contact John Sander, Principal at Jackson Lewis P.C. (www.jacksonlewis.com) at John.sander@jacksonLewis.com

China: Information Security Technology-Personal Information Security Specification Was Recently Released

The National Information Security Standardization Technical Committee recently released the Information Security Technology-Personal Information Security Specification (GB/T 35273-2017) (hereinafter the “Specification”). The Specification defines and explains the technical terms related to personal information security, such as “personal information”, “personal sensitive information”, “personal data subject”, etc. The Specification also provides detailed requirements and standards for the collection, preservation, use, processing and transmission of personal information.  It further specifies the basic principles of personal information security, such as “seeking personal data subject’s consent”, “minimum use of personal information”, “ensuring personal information security” and “personal data subject’s participation”.  In addition, the Specification provides a Privacy Policy Template in its appendixes to elaborate the specific terms and requirements of a privacy policy as guidelines for businesses to formulate and announce privacy policies.  Although recommended as national standards, the Specification is not legally binding; it is an important reference in respect of businesses’ compliance with regulation on personal information.

For more information on these articles or any other issues involving labour and employment matters in China, please contact Carol Zhu, Partner at Zhong Lun Law Firm (www.zhonglun.com) at carol.zhu@zhonglun.com

Canada: Ontario Government to Proclaim Significant Amendments Regarding Workplace Safety and Insurance Costs and Penalties for Clients of Temporary Help Agencies

In a statement to a local newspaper, Ontario’s Minister of Labour indicated that the Ontario government will proclaim legislation written three years ago but never enacted – in particular, Schedule 5 of Bill 18 (also known as the Stronger Workplaces for a Stronger Economy Act, 2014, S.O. 2014, c. 10). Schedule 5 to Bill 18 would enable Ontario’s Lieutenant Governor in Council to make regulations that could potentially revolutionize the way workplace safety and insurance costs are allocated as between temporary help agencies and their clients.

Pursuant to Schedule 5, such regulations could require that, if a temporary help agency lends or hires out the services of a worker to certain employers and the worker sustains an injury while performing work for the other employer, the WSIB would, amongst other things:

  • Deem the total wages that are paid in the current year to the worker by the temporary help agency for work performed for the client to be paid by the client;
  • Attribute the injury and the accident costs arising from the injury to the client;
  • Increase or decrease the amount of the client’s WSIB premiums based upon the frequency of work injuries or the accident costs or both;
  • Require that, if a temporary help agency lends or hires out the services of a worker to certain clients and the worker sustains an injury while performing work for those clients, the client notify the WSIB of the injury; and
  • Prescribe penalties for failure to comply with certain aspects of these regulations.

To verify when or whether a proclamation with respect to Bill 18 has been issued by the Lieutenant Governor of Ontario, please visit the Ontario government’s proclamations webpage.

If you are unsure as to whether or how the coming into force of Bill 18’s amendments to workplace safety and insurance legislation might affect your business operations in Ontario, it would be prudent to seek the advice of a labour and employment lawyer.

For more information on these articles or any other issues involving labour and employment matters in Canada, please contact Robert Bayne, Partner at Filion Wakely Thorup Angeletti (www.filion.on.ca) at rbayne@filion.on.ca

France: Updates on the Macron ordinances: the rationale for economic dismissals is now evaluated at the national level

The Macron reform has introduced some flexibilities in the procedure of economic redundancy: the framework of appreciation of the economic rationale, for example the economic difficulties, previously appreciated at the level of all the companies of the group, is now appreciated at the level of the company or companies of the group but located on the French territory. The same is true for the search for positions of redeployment to be carried out in companies located in France. The consultation rules for staff representatives have been adapted to take account of the setting up of the new Social and Economic Committee (“CSE”). Finally, the possibility of dismissal before transfer, provided for by the Labor Law of 8 August 2016 but limited to companies with at least 1000 employees, has been extended to all companies required to establish a social plan (PSE) and wishing to accept a takeover offer.

For more information on these articles or any other issues involving labour and employment matters in France, please contact Joël Grangé, Partner at Flichy Grangé Avocats (www.flichygrange.com) at grange@flichy.com

Norway: A campaign for drug prevention in working life

As much as 70 % of the Norwegian employees want guidelines regarding use of alcohol in work related situations, such as kick-offs and summer parties. 80 % of the employees also want the employer to have schemes related to employees with a strained relationship to alcohol or other drugs.

A liberal alcohol culture in the workplace can affect the employee’s well-being, health and safety, and therefore guidelines are important. The Norwegian Directorate of Health has prepared guidelines to help employers prepare and follow up on a drug policy.

The campaign attempts to show different consequences of a liberal alcohol culture, without a moral condemnation. The guidelines are developed in close cooperation with the parties in the workplace, state labor actors, relevant competence associations and researchers. According to the guidelines, the employer must identify risks and needs in the workplace, and include drug prevention as a part of the work with safety, health and welfare. Employers are also encouraged to make agreements with external parties that can contribute in individual cases.

For more information on these articles or any other issues involving labour and employment matters in Norway, please contact Storeng, Beck & Due Lund (SBDL)