A sea change in data protection law in the European Union (EU) is about to take place, and your organization doesn’t have to be based in the EU to feel its impact.  The General Data Protection Regulation (GDPR) will take effect on May 25, 2018.  The GDPR applies not just to EU Member States, but also to U.S. organization with EU-based employees.  Any U.S. organization that has a branch, office, affiliate, franchise, or agent based in the EU should check if it must comply with the GDPR.  Failure to comply with the GDPR can lead to fines of up to 20 million euros or 4% of annual global turnover (revenue), whichever is higher.

The GDPR regulates how “personal data” of EU citizens is collected, stored, processed, and destroyed.  The GDPR definition of “personal data” has a broader meaning than how U.S. laws usually define the term.  In addition to typical identifying information (e.g., name, address, driver’s license number, date of birth, phone number, or email address), “personal data” under the GDPR includes more expansive categories of data such as salary information, health records, and online identifiers (dynamic IP addresses, cookie identifiers, mobile device IDs, etc.).  The GDPR also provides heightened levels of protection for special categories of employee data, including racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data.

The GDPR has wide-ranging effects on data collection, use, and retention.  Some of the data practices regulated by the GDPR include:

  • Data processing – Consent is one legitimate basis for processing personal data of employees, but the GDPR requires that consent be freely-given, specific, informed, and revocable. This means most blanket consent provisions typically found in employment contracts are not valid.  If obtaining consent according to GDPR requirements isn’t practical, an employer might need to rely on other legal bases for processing employee data.  Processing employee data is legal if it is necessary for the performance of the employment contract, required by law, or in the employer’s legitimate interests which outweigh the general privacy rights of employees.
  • Employee monitoring – The GDPR limits what employers may do with data obtained through employee monitoring.
  • Notification – The GDPR specifies what information employers must include in notices informing employees about the kind of personal data that will be collected from them.
  • Right to be forgotten – Under certain circumstances, data subjects have the right to require data controllers to erase their personal data.
  • Data portability – A person is entitled to transfer their personal data from one electronic processing system to another without being prevented from doing so by the data controller.
  • Data breach – The GDPR governs the procedures and substantive requirements for giving notification of a personal data breach.

Now is the time to revisit your employment contracts and policies with privacy counsel to ensure compliance with the GDPR.

Social media seems to be a favorite forum for employees to complain about their workplace.  Firing employees for posting work-related social media messages can land an employer in trouble.  But is management absolutely forbidden from firing employees for making offensive comments on social media?  Is there a line employees may not cross?  The Second Circuit Court of Appeals took up this question recently in NLRB v. Pier Sixty, LLC, 855 F.3d 115 (2d Cir. 2017).

The Facebook Firing

In early 2011, New York catering company Pier Sixty was in the middle of a tense organizing campaign that included management threatening employees who might participate in union activities.  Two days before the unionization vote, Hernan Perez was working as a server at a Pier Sixty Venue.  His supervisor, Robert McSweeney, gave him directions in a harsh tone.  On his next work break, Perez posted this message on his Facebook page:

Bob is such a NASTY MOTHER FUCKER don’t know how to talk to people! ! ! ! ! ! Fuck his mother and his entire fucking family! ! ! ! What a LOSER! ! ! ! Vote YES for the UNION! ! ! ! ! ! !

Perez knew that his Facebook friends, including ten coworkers, could see the post, although he allegedly thought his Facebook page was private.  Perez removed the post three days later, but not before it came to management’s attention.  Perez was fired after an investigation.

The National Labor Relations Board (NLRB) decided that Pier Sixty unlawfully terminated Perez in retaliation for “protected, concerted activities.”  Pier Sixty appealed to the Second Circuit and the NLRB filed an application for enforcement of its decision.

Evolving Standards of Whether Obscene Comments Lose Protection

Employees have the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection” under Section 7 of the National Labor Relations Act (NLRA).  But if an employee’s actions lose NLRA protection if they are “so opprobrious and egregious as to render him or her ‘unfit for further service.’”  See Atlantic Steel Co., 245 NLRB 814 (1979).  Pier Sixty argued that Perez engaged in “opprobrious” conduct by posting obscenities on Facebook.

The Second Circuit noted that the test for opprobrious conduct was unsettled.  The NLRB traditionally used the Atlantic Steel four-factor test that considers the location and subject matter of the discussion, the nature of the employee’s outburst, and if the outburst was provoked by an employer’s unfair labor practice.  But in 2012, the NLRB began using a “totality of the circumstances” test in social media cases to address the unique context of social media and allay concerns that the Atlantic Steel test did not adequately consider employers’ interests.

Second Circuit Sidesteps Review of NLRB’s New Test

Without addressing the validity of the “totality of the circumstances” test, the Second Circuit found “substantial evidence” that Perez’s comments were not so egregious as to lose NLRA protection.  Perez’s message, though vulgar, included workplace concerns and was part of a “tense debate over managerial mistreatment in the period before the representation election.”  Pier Sixty also did not previously discipline employees for widespread profanity in the workplace.  Finally, Perez’s comments were not made in the immediate presence of customers and did not disrupt the catering event.  Despite deciding that Perez’s conduct was not “opprobrious,” the court noted that the case sat “at the outer-bounds of protected, union-related comments” and reminded the NLRB to develop a test giving weight to employers’ legitimate disciplinary interests in preventing employee outbursts in the presence of customers.

Takeaways

Pier Sixty teaches that an employee may not be fired simply for making profanity-laced comments on social media if the comments are related to the workplace.  The fact that the comments are accessible to members of the public, including customers, is not determinative.  So at what point do an employees’ obscene comments lose protection?  That remains an open question after Pier Sixty, but the court’s comments inspire hope that the NLRB will craft a more employer-friendly standard in the future.

 

“Why did you fire my wife?”  Bradley Reid Byrd posted this question on the Facebook page of Cracker Barrel.  Byrd wanted to know why his wife was let go after working for the restaurant chain for 11 years.  The post remained largely unnoticed for about a month until a comedian uploaded a screenshot of it to his Facebook page and his 2.1 million followers.  The internet outrage machine then kicked into high gear.  Multiple hashtags were created (#JusticeForBradsWife, #BradsWifeMatters, #NotMyCountryStore).  Someone started a “Brad’s Wife” Facebook page.  A Change.org petition demanding answers from Cracker Barrel was launched.

Social media makes it easy to channel the furor of the masses against an organization.  The instigator could be anyone with some connection to the organization – a former or current employee, their relatives, or a customer.  What should an organization do if it finds itself at the center of an internet controversy?

Responding to negative online comments is a delicate exercise, and missteps early on can  damage an organization’s reputation tremendously.  From a human resources perspective, the first step is to control who, if anyone, should respond.  Employees should be prohibited from making “rogue” responses on behalf of the organization.  Employers should state this restriction clearly in their social media policy and train employees on the importance of compliance.

After deciding who will handle the response, the next step is figuring out what to say.  The knee-jerk reaction to inflammatory or untrue online comments might be to threaten a defamation suit against the posters, but that can backfire and damage the organization’s reputation even more.  Sometimes the best response is to say nothing and let the controversy pass.

If a response is warranted, consider who the audience will be and how they might respond to it.  Pointing out flaws in the negative comments could be perceived as overly defensive.  On the other hand, respectfully acknowledging the negative comments or posting positive content about to organization could defuse the controversy.

Whatever the response, it should be the product of careful consideration.  On the internet, it takes just a few clicks to set off a firestorm.

 

 

On January 1, 2017, the National Labor Relations Board (NLRB) Office of the General Counsel released an advice memorandum (dated September 22, 2016) reviewing the social media policy in Northwestern University’s revised Football Handbook.  The memorandum contains valuable guidance in an area full of uncertainty, as the NLRB has struck down seemingly common sense social media policies because of their potential to chill employees’ rights under Section 7 of the National Labor Relations Act (NLRA) to engage in “concerted protected activities.”  Section 8 of the NLRA prohibits employees from restraining employees from exercising their Section 7 rights.

According to the memorandum, Northwestern voluntarily revised its Football Handbook after receiving a charge alleging that the handbook violated the NLRA.  The advice memorandum reviewed the revised handbook for compliance with the NLRA.  Assuming for the purpose of the review that Northwestern’s football players are “employees” under the NLRA, the advice memorandum concluded that the revised social media policy passed muster.

The memorandum reprinted the original language of the policies along with the revisions in redline, as follows (deleted language in strikeout and new language in bold):

[W]e are concerned about… protecting the image and reputation of Northwestern University and its Department of Athletics and Recreation. . . .

Publicly posted information on social networking websites can be seen may be regularly monitored by any person with a smart phone or internet access, including individuals a number of sources within Northwestern University (e.g., Athletics Department, Student Affairs, University Police). . . .

Northwestern student-athletes should be very careful when using online social networking sites and keep in mind that sanctions may be imposed if these sites are used improperly or depict inappropriate, embarrassing harassing, unlawful or dangerous behaviors such as full or partial nudity (of yourself or another), sex, racial or sexual epithets, underage drinking, drugs, weapons or firearms, hazing, harassment, unlawful activity or any content that violates Northwestern University, Athletics Department or student-athlete codes of conduct and/or state or federal laws.

….

Do not post any information, photos or other items online that contain full or partial nudity (of yourself or another), sex, racial or sexual epithets, underage drinking, drugs, weapons or firearms, hazing, harassment or unlawful activity could embarrass you, your family, your team, the Athletics Department or Northwestern University.

Although the advice memorandum did not elaborate on why the original policy could violate the NLRA while revised policy would not, it provides important clues on drafting lawful social media policies.  The modifications to the policy generally substituted vague terms like “inappropriate” and “embarrassing” with descriptions of the content that the policy prohibits.  For example, the revised policy specifically prohibits social media posts depicting “nudity,” “racial or sexual epithets,” and “underage drinking,” among other things.  The revised policy also eliminated protection of the employer’s “image and reputation” from the description of the policy’s purpose.  In previous guidance, the NLRB has determined that employers may not require employees to refrain from engaging in activity that generally damages the employer’s reputation because that could be construed to prohibit “concerted protected activity” such as criticism of work conditions or compensation policies.

The recent advice memorandum reinforces the need to be precise when drafting a social media policy.  Experienced counsel can assist in identifying the types of social media content that the NLRB has allowed employers to prohibit employees from posting.

It’s generally a good practice to set standards of online employee conduct to prevent the social media activity of employees from disrupting the workplace or tarnishing your organization’s reputation.  But the mere fact that an employee comments on controversial subjects on social media doesn’t necessarily justify disciplinary action.  That’s especially true in the case of a public employer.  Disciplining a government employee for posting social media messages about a topic of public concern could violate the First Amendment, as illustrated by a recent Ohio decision.  Hamm v. Williams, Case No. 1:15CV273 (N.D. Ohio, Sept. 29, 2016).

Hamm centered around the controversy over the fatal police shooting of two unarmed African-Americans following a high-speed car chase.  The incident — sometimes known as the “137 shots” in reference to the number of bullets that were fired at the couple — was highly publicized and the target of protests by the Black Lives Matter movement.  Seven Cleveland police officers were indicted as a result.  While off-duty, a Cleveland police officer (Hamm) used his home computer to post Facebook comments criticizing the indictments and showing support for his colleagues.  Approximately one week later, Hamm wrote on Facebook that an unidentified individual found his original comments offensive and had reported the first post to his supervisors.

After conducting an investigation, the supervisors determined that Hamm had breached department rules against using social media to discuss a criminal investigation involving the department or posting material that would “tend to diminish” public esteem for the department.  The department suspended Hamm for 10 days.  Hamm sued the city for retaliating against him for exercising his First Amendment right to free expression.

Under U.S. Supreme Court precedent, government employees have a First Amendment right to speak as private citizens on matters of public concern.  However, an employee’s constitutionally protected right to free expression must be balanced against a public employer’s interest in efficient delivery of public services.

The court determined that Hamm was speaking as a private citizen, as he had posted the Facebook comments while he was off-duty using his home computer.  The subject of his comments – a highly publicized police shooting and the aftermath – was a matter of “political, social or other concern to the community” and not just a “quintessential employee beef.”

The city argued that a police department, as a paramilitary organization charged with maintaining public safety and order, had a greater interest in regulating the speech of its employees than an ordinary public employer.  The city contended that it was justified in ensuring that officers are not publicly criticizing an investigation or placing a stigma on the criminal justice system or internal police operations.

The court rejected the city’s arguments because it found no evidence that Hamm’s posts actually resulted in work stoppages or that any officers declined to fulfill his or her duties because of Hamm’s posts.  The court therefore allowed Hamm to proceed to trial on his First Amendment retaliation claim.

Hamm is a good reminder that discipline should not be a knee-jerk reaction to controversial social media posts of an employee.  Conduct an investigation and collect evidence of the actual or potential disruptive impact of the comments before taking disciplinary action.  If you’re a public employer, the First Amendment adds an extra layer of protection for employees.  Consult experienced counsel to help you analyze the impact of constitutional protections for online employee speech.