The novel coronavirus has upended business operations on a global scale, and mitigation efforts continue to be implemented to help organizations stay afloat during this unprecedented pandemic. On March 19th, the European Data Protection Board (EDPB), an informal working group comprised of representatives of each of the national data protection authorities in the EU, issued a statement regarding data processing activities during this public health crisis, emphasizing that while data protection rules should not hinder the fight against COVID-19, it is still imperative that certain prescribed steps be taken to ensure the protection of personal data.
For U.S. companies with operations in the EU, it will be important to proceed with caution before citing COVID-19 as a justification for modifying any compliance practices. Specifically, companies should familiarize themselves with the nature of certain exceptions to the processing of health data under the GDPR, as well as the role that national laws play in both the implementation of EU rules and regulations and within the employment setting.
GDPR’s Public Health Exception
The GDPR provides certain legal grounds, within the context of epidemics and pandemics, for allowing employers and public health authorities to process personal data without the consent of individuals. One example of this exception relates to processing data in the public interest, such as to protect against serious cross-border threats, to protect an individual’s vital interests or in order to comply with other legal obligations, such as laws pertaining to workplace health and safety.
National Laws or “Derogations”
However, companies cannot rely on these exceptions alone when determining whether they can lawfully suspend GDPR-mandated data protection measures. Instead, they must also consider the laws of any EU member state in which they operate, especially those relating to employees and the collection of or use of health data for employment purposes. Empowered by the GDPR, each member state has adopted its own additional measures, the so-called “national derogations,” to provide more specific guidance on how the provisions of the GDPR will be implemented within their country.
With respect to the processing of personal data, including health data, many EU states require that employees receive transparent information regarding an employer’s processing activities, including the applicable retention period for the collected data and the purposes of the processing. Also, there are typically heightened security and confidentiality requirements around the processing of special categories of data like health data.
In response to the COVID-19 pandemic, the EDPB has mandated that data controllers and processors of such data document the measures implemented to manage the COVID-19 emergency situation. In addition, most EU member state data protection authorities have already issued their own statements, FAQs and other materials regarding the processing of personal data, including the use of health data within the employment setting, for COVID-19 purposes.
Therefore, U.S. companies operating in the EU, especially those who may be collecting and processing the data of EU residents for the purpose of conducting clinical trials or those with employees in the EU, are encouraged to consult with privacy counsel versed in EU laws to help better understand the national data protection laws of those countries in which they are doing business, particularly as they relate to the GDPR’s public health exception, as well as any employment laws that are applicable at the national level in the context of the collection of the health data of employees.
- Companies cannot suspend GDPR compliance under the guise of the COVID-19 public health crisis.
- Although a legal basis under the GDPR or EU employment laws may allow you to process health data in the context of COVID-19, such processing remains subject to all GDPR data protection principles, such as data minimization, data retention, data proportionality, or the need to implement adequate safeguards.
- Even if you are allowed to collect personal data in the EU (under an exception), the transfer of such data outside the EU is still prohibited unless one of the exceptions under EU law applies, specifically in respect of special categories of data.
- Employers should review the employment laws of each nation in which they operate to understand what they can and cannot ask employees in the face of the COVID-19 crisis.
While it is completely understandable that companies wish to play their part in preventing the spread of COVID-19, it is important to remember that privacy concerns and compliance cannot be set aside completely. We recommend that all companies with EU operations proceed cautiously, before acting on any well-intended assumptions about the legality of their efforts. If you have questions about data collection or processing in the EU in the face of COVID-19, or about the GDPR in general, please contact Stephan Grynwajc at email@example.com or 347-543-3035.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. firstname.lastname@example.org