The GDPR is considered as the gold standard for data protection worldwide. The regulation has now emerged as a reference point for many countries outside Europe, such as Chile, South Korea, Brazil, Japan, Kenya, India, Indonesia, and Taiwan. Multinational companies are also voluntarily adhering to the GDPR to save on compliance costs, thereby raising privacy standards for all users globally.
In the context of Covid-19, a large proportion of the information being collected and processed by organizations falls within the definition of “personal data” under the GDPR. However, health data is considered as a special category of personal data and its processing is, in principle, prohibited. Specific derogations exist, but the complexity of the regulation has been a source of legal uncertainty for organizations subject to its requirements.
New challenges for data protection
One key challenge stems from the abrupt shift to remote work caused by the outbreak and associated lockdown or curfew measures adopted by governments. This has led to heightened security risks from malicious actors seeking to take advantage of the pandemic (e.g. piracy, spyware, phishing, etc.). For this reason, it is crucial for organizations to implement appropriate security measures on their IT systems to mitigate cyber threats and protect any sensitive information, including financial data, personal data of employees and customers, and trade secrets.
Another challenge for organizations consists of ensuring the health and safety of employees, while at the same time safeguarding their fundamental rights and freedoms as data subjects. Indeed, in order to limit the spread of the virus in the workplace, employers may need to process more personal data than before, especially health data. Many companies are tempted to rely on their employees' consent to such data. Due to the imbalance of power in employment relationships, however, an employee’s consent is generally not regarded as “freely given” and is unlikely to comply with the GDPR.
Do’s and don’ts during Covid-19
First, organizations should closely monitor national law requirements, as well as any guidance issued by the European Data Protection Board (EDPB) and Data Protection Authorities (DPAs). While such guidance is non-binding, it is intended to set out best practice as to how to navigate through the pandemic in accordance with data protection rules. As a result, proactive compliance may limit the risk of liability in the event of future regulatory investigations and/or litigation.
Second, the GDPR requires organizations to carry out a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to the rights and freedoms of individuals. Consequently, organizations considering the processing of personal data in relation to Covid-19 must conduct a DPIA and regularly update it as new risks emerge in this rapidly evolving situation.
Third, companies should be mindful of how they deal with Covid-19 cases internally. According to the EDPB, organizations should inform staff about any Covid-19 cases without communicating more information than necessary. In particular, the identity of employees who have tested positive may only be revealed to office personnel if national law allows it, provided that “the concerned employees shall be informed in advance and their dignity and integrity shall be protected”. In France, the CNIL has stated that disclosing the name of the affected employees is prohibited in the absence of any specific legislation.
Finally, it is important to continue to meet the statutory deadlines laid out in the GDPR. Organizations facing difficulties due to Covid-19 may extend by two months the period to respond to data subject requests depending on the complexity and number of requests. In that event, they must document and clearly communicate to the relevant individuals the reasons for the delay in handling their requests.
The risks of GDPR non-compliance
The GDPR provides DPAs with different options in case of non-compliance with data protection rules, including a maximum fine of up to €20 million or four percent of the company’s total annual worldwide turnover, whichever is higher.
Given the challenges faced by organizations in responding to Covid-19, the Irish Data Protection Commission and the UK Information Commissioner’s Office (ICO) have both recognized the need for a proportionate regulatory response.
At the European level, the EDPB has yet to address the question of leniency in the context of Covid-19. On the contrary, it stated that “[d]ata protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic” and that “even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects”.
In any event, the GDPR itself allows regulators to consider the circumstances of each individual case when deciding whether to impose an administrative fine, and the amount of such fine. Consequently, the Covid-19 crisis may be regarded as a “mitigating factor” which warrants a lesser fine in case of violations of the GDPR. Ultimately, this will depend on the regulatory approach adopted by the competent authority, as well as the particular facts of the case, including whether the organization’s non-compliance is the result, or is unrelated to Covid-19.
Many organizations are considering a variety of new protocols, ranging from self-reporting questionnaires, thermal cameras, temperature checks to contact-tracing and location monitoring devices. The EDPB and DPAs have already written about some of these measures from a data protection law standpoint. The French CNIL, for example, has published guidelines on the use of smart and thermal cameras in the context of the pandemic, highlighting the need for specific guarantees, in addition to those already provided by the GDPR.
Now that vaccines have finally arrived, employers need to get to grips with some tricky legal issues, including whether they can mandate their workforce to get vaccinated against Covid-19. In December 2020, the U.S. Equal Employment Opportunity Commission confirmed that employers have the right to do so, provided that they accommodate workers who request exemptions due to a disability or sincerely held religious belief. In Europe, as long as vaccination remains voluntary, it is highly unlikely that employers will be able to insist that all of their employees get vaccinated. There is, however, a growing debate around a common vaccine certificate as a condition to travel within the bloc.
One thing’s for sure: organizations should prepare for the additional data privacy considerations that will arise as employees return to the workplace.
Mathilde Gérot, Senior Associate, Signature Litigation
Julia Caudal, Trainee Lawyer, Paris Bar School