Update 25 March
This is an update of our article on the privacy aspects of the approach to the corona virus in connection with the publication of an update of the guidance issued by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the European Data Protection Board (EDPB), and the more stringent measures in the fight against the corona virus announced by the Dutch government on 23 March 2020.
To prevent the further spread of the corona virus (COVID-19), many people, especially since mid-March, have been ordered by the safety regions and their employers to work from home. As a result, work and private life have intertwined increasingly. The data protection authorities underline that, even under these exceptional circumstances, employers will have to comply with privacy regulations. This equally applies to employees who still go to their offices, such as those working in the designated vital sectors, but also to visitors and customers of (designated vital) institutions and companies that are still open.
We have noticed that organisations have many questions about compliance with privacy regulations. This is especially so since the processing of health data is quickly present, and the processing of health data is only possible if a specific legal exception to the general prohibition on processing health data can be invoked. Furthermore, we see these privacy questions arise mainly in connection with the unforeseen measures, the great importance of restricting and delaying the spread of COVID-19 and the mandatory contribution to this by organisations, and the major economic consequences. We expect that new privacy issues will continue to arise along with the further development of the pandemic and measures taken, as the government expects COVID-19 to continue to spread among us for a longer period of time and the final measures have not been taken yet.
Data protection authorities not on the same page yet
Currently, many European data protection authorities - including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) - have issued guidance on how to process the personal data of employees and, to a limited extent, of visitors and customers. Although the AP initially only came up with a brief advice, it has now - after a critical response - elaborated its advice in more detail. Whereas the AP normally applies a strict policy for monitoring the health of employees, the regulator now acknowledges that combating COVID-19 has top priority. According to the Dutch Data Protection Authority, privacy regulations must not hinder taking the measures necessary to combat the consequences of COVID-19.
This brings the view of the Dutch supervisory authority a bit more in line with the publications of, among others, the German, English, Danish, French, Irish, and Belgian data protection authorities, who had already issued more extensive guidances. These statements can also be relevant for organisations in the Netherlands. However, it appears from these opinions that the data protection authorities are not on the same page yet. Some authorities are more liberal in allowing the processing of health data than other stricter data protection authorities.
The European Data Protection Board (EDPB), the body in which all European privacy supervisors are united, also has made its voice heard. After a rather long period of silence, the first short press release was issued on 16 March 2020 in which the EDPB stated that privacy legislation allows for the processing of personal data in exceptional circumstances such as those of the corona virus. The EDPB states that in the context of a pandemic and when acting in accordance with national law, employers are allowed to process health data of their employees for reasons of public interests in the field of public health or to protect vital interests.
Soon after its publication, the first press release was followed by a more extensive public statement that included a short Q&A for employers on 19 March 2020. The EDPB reaffirms that the importance of taking action in an emergency situation such as the outbreak of COVID-19 can legitimise the fact that organisations process more personal data than would be permitted under normal circumstances. Employers may, for example, if there is a legal obligation or if public health is at stake, record or monitor the temperature of employees who have COVID-19 and inform other employees about colleagues that are diagnosed with COVID-19. However, the expansion of the processing activities must be proportional and reversible so that the additional processing activities can be turned back around after the emergency situation has ended.
In our opinion, the EDPB and the Dutch Data Protection Authority allow organisations, where necessary and proportionate, to expand data processing activities. In line with the statement of the EDPB, we see more possibilities for organisations to be allowed to process health data on the basis of the leeway provided by the GDPR, also to employers (whether or not by means of the company doctor), in conjunction with the national emergency decrees, the local emergency decrees of the safety regions and applicable labour law obligations. However, if the processing of personal data, in particular health data, is actually permitted depends strongly on the applicable national regulations and the situation at hand. For example, it will depend on whether it concerns an employee working at home or organisations active in a designated vital sector. Depending on the circumstances, organisations will have to keep making a thorough assessment of what is permitted and what (additional) privacy safeguards must be put in place.