Tuesday, November 9, 2010

Final GINA Regulations (Finally!) Published: Social Media & Employer Acquisition of Genetic Info


The Equal Employment Opportunity Commission today (finally!) issued final regulations implementing Title II (the employment provisions) of the Genetic Information Non-Discrimination Act of 2008 (GINA). As I mentioned in an earlier post, Title II took effect on November 21, 2009, the Commission published proposed regulations last year, but the final regulations were delayed. I also pointed out that employers would have to wait for the final regulations for the EEOC’s treatment of information obtained via social networking sites and employees’ social media profiles. 

The Issue: Acquiring Employee Genetic Information Via Social Media = Violation?
Recall that GINA makes the mere acquisition of genetic information illegal, and the Act broadly defines “genetic information” to include even medical conditions of family members. This left employers wondering if they’d be facing a GINA violation if, for example, a supervisor found an employee’s status update saying he was raising money for multiple sclerosis in honor of his father who is suffering for it. Employers wondered if just receiving that information might be a violation.

Some acquisitions of genetic information aren’t illegal; the law provides specific exceptions. The final regulations now clarify the scope of those exceptions regarding acquisition of genetic information through social networking or social media sites such as Facebook.

No Specific Intent Necessary for Violation
First, it seems worth mentioning that the EEOC pointed out that an employer may violate GINA without a specific intent to acquire genetic information, so the Commission changed the language of the regulations:  the Commission removed reference to “deliberate acquisition” of genetic information, and now indicates Title II of GINA restricts “requesting, requiring, or purchasing” genetic information.

“Inadvertent Acquisition” Exception
Turning to the exemptions, specifically, the Commission pointed out that the “inadvertent acquisition exception” applies not just to interactions in the workplace, but also to interactions that take place online. The regs provide a specific situation in which acquisition of genetic information would not result in a violation under the “inadvertent acquisition” exception:  when a manager or supervisor “inadvertently learns genetic information from a social media platform which he or she was given permission to access by the creator of the profile at issue (e.g., a supervisor and employee are connected on a social networking site and the employee provides family medical history on his page).”

In other words, drawing from the hypothetical I posed in my earlier post, an employer would not violate GINA if an employee sends a friend request to his supervisor, and weeks later, the employee’s status update appears in that supervisor’s Facebook news feed, unexpectedly disclosing genetic information. The inadvertent acquisition exception protects the employer from liability for this acquisition of genetic information.

“Commercially & Publicly Available” Exception
With respect to the exception for genetic information obtained via commercially and publicly available information, the regulations provide that media sources with “limited access” will not be considered commercially and publicly available. That is, this exception doesn’t apply to genetic information obtained through sources such as social networking sites (such as Facebook) that require permission to access from a specific individual or where access is conditioned on membership in a particular group (unless the employer can show access is routinely granted to all who request it). For example, if an employee’s Facebook profile contains genetic information, and that employee has taken advantage of Facebook privacy restrictions so that information is only accessible by the employee’s Facebook friends, the information isn’t considered commercially and publicly available. The Commission was careful to point out the determining factor is whether access requires permission of an individual or is limited to a particular group, and not how a particular web site might be “categorized” -- such as social media, personal web site, blog, or so on. (i.e., Although the converse is more often true, some social or professional networking profiles or portions thereof don’t require permission to access or routinely grant access, whereas some web sites and blogs do limit access.)

Further, even if an employer obtains genetic information through a source deemed commercially and publicly available, it’s not protected by the exemption if the employer sought access to that source with the intent of obtaining genetic information. The EEOC stated, “[f]or example, an employer who acquires genetic information by conducting an Internet search for the name of an employee and a particular genetic marker will not be protected by this exception, even if the information the employer ultimately obtained was from a source that is commercially and publicly available.” This may seem intuitive, but as commentators pointed out, this probably would have been technically possible under the proposed regulations, so it makes sense for the EEOC to include this specific clarification.

The regulations further explains that employers may not obtain genetic information through media sources – even if commercially and publicly available – if the employer is likely to acquire genetic information by accessing those sources. While some might argue an employer should assume an employee’s Facebook profile is likely to contain genetic information, the regulation suggests a higher “likely” standard, “such as Web site and on-line discussion groups that focus on issues such as genetic testing of individuals and genetic discrimination.”

The text of the final regulations may be found at http://bit.ly/9LUP85 and the EEOC’s question-and-answer documents on the final GINA regulations may be found at http://www.eeoc.gov/laws/types/genetic.cfm.