Following the outbreak of COVID-19, organizations have been implementing exceptional measures to maintain "business-as-usual" to the extent allowed by their particular circumstances and to protect their employees, customers and others from this global pandemic situation.1
As a result of these extraordinary efforts, organizations are collecting and processing new types of information about individuals, including the health status of individuals within the same household, the results of any COVID-19 testing, and the various locations individuals have visited since the outbreak started.
The new information being collected can be considered as personal data and, more particularly, sensitive data, in that it concerns the health of individuals. Its processing is thus subject to strict compliance requirements imposed by the General Data Protection Regulation ("GDPR")2 and the French Data Protection Act 1978 in its latest version ("FDPA").3
Here, we set out an overview of the key issues for organizations to consider during this crisis, from a French and EU data protection compliance perspective:
1. Organizations should consider undertaking a DPIA before collecting personal data from individuals relating to the coronavirus disease.
Prior to collecting any personal data relating to COVID-19 from the individuals, organizations should consider undertaking a data protection impact assessment ("DPIA").
A DPIA is intended to help data controller organizations understand the risks associated with particular data processing activities and to identify the measures that can be taken to mitigate such risks. A DPIA will also help to inform the changes that may be required in other data protection-related compliance documentation within the organization, such as privacy notices and records of processing activities.
The GDPR and Article 62 of the FDPA require organizations to undertake a DPIA if the processing is likely to result in a high risk to the rights and freedoms of individuals.4 Guidance issued by data protection regulators suggests that a DPIA should be performed where a processing activity involves biometric data, genetic data and/or tracking data. In France, the Commission nationale de l'informatique et des libertés ("CNIL") provides a detailed list of processing operations for which a DPIA is mandatory, which includes the processing of:
- health data by healthcare institutions or medico-social institutions for the purpose of the care of individuals;
- genetic data of so-called "vulnerable" persons;
- data for the purpose of managing alerts and alerts on social and health matters; or
- health data necessary for the establishment of a data warehouse or register.5
Organizations that have already started to process this new personal data without undertaking a mandatory DPIA should consider completing one as soon as possible. Even if a DPIA is not mandatory, organizations should nevertheless consider the benefits of undertaking one to help ensure that all relevant risks are being identified and mitigated, and to comply with the accountability principle.
2. Organizations must have an appropriate legal basis for processing personal data collected from individuals relating to the coronavirus disease.
After organizations have clearly identified the purpose of the collection of the personal data and the parameters of the personal data that are strictly necessary for said purposes, they should assess the legal basis for processing personal data.6 In the context of data processing relating to COVID-19, organizations may be able to rely on their legitimate interests (with a legitimate interests assessment7), contractual necessity (e.g., health and safety obligations related to employee protection) and/or their obligation to comply with legal obligations (i.e., relating to health and safety).
Note that in France, the additional following legal bases can be considered:
- Public interest in the area of public health: If an organization is acting on the advice of public medical advisers, it may be possible to rely on this legal basis to justify the processing of SCD relating to the COVID-19 disease.8 In France, the National Public Health Agency (Agence nationale de la Santé Publique) published an informative note on the processing of data relating to COVID-19, explaining that such processing is based on the performance of a task carried out in the public interest (pursuant to Article 6 (1) (c) of the GDPR) and that the purpose of such processing is to reply to a health alert in accordance with Article 67 of the FDPA. In this respect, the CNIL points out that the assessment and collection of information on COVID-19 symptoms and information on recent movements of certain persons is the responsibility of the public health authorities that are qualified to take appropriate action with regard to data concerning health; and/or
- Vital interest of the data subject/another natural person: If an organization is processing data relating to COVID-19, such processing is lawful if it is necessary to protect the vital interests of the data subject/another natural person.9
- Employment-related obligations: As noted above, an organization may be subject to certain obligations under employment law in respect of which the processing of SCD relating to COVID-19 may be justified. The CNIL recently recalled that the employer is responsible for the health and safety of employees/agents in accordance with the Labor Code.10 In this respect, the employer must implement actions to prevent occupationalrisks, provide information and training, and set up the appropriate organization and means to manage those tasks. The CNIL states that the employer may (i) raise awareness and invite its employees to provide individual feedback on information concerning them in relation to possible exposure; (ii) facilitate the transmission of such feedback by setting up, if necessary, dedicated channels of communication; and (iii) promote remote working methods as well as encouraging the use of occupational medicine. In the event of a report, the employer is notably allowed to record the date and identity of the data subject suspected of exposure and the organizational measures taken (e.g., remote working). The employer may thus communicate to health authorities, upon request, the information relating to the nature of the exposure, which can be necessary for the medical care of the exposed person;11 and/or
- Preventative or occupational medicine: An organization that is acting on the advice of its medical advisers may be able to justify the processing of SCD relating to COVID-19 if it is necessary for the purposes of preventative or occupational medicine.
As a reminder, consent from employees is generally not regarded as freely given (and is therefore invalid) due to the apparent imbalance in power between the organization and the individual; relying on consent as the legal basis for processing is unlikely to be considered compliant with the GDPR or the FDPA.12
3. Other issues to consider from a data protection compliance perspective
There are a number of other issues that organizations need to consider from a data protection compliance perspective, including:
- Disclosure of COVID-19 cases to personnel: As part of the obligation to ensure the health and safety of employees, employers may inform personnel about COVID-19 cases. Disclosure of such information should be as limited as possible. If it is necessary to disclose the name of the employee who has contracted COVID-19 to enable other personnel to take appropriate protective steps, the employee who has contracted the virus should first be informed of the intended disclosure.13
- Responding to individual rights requests: It is likely that an organization's efforts and attention may be focused on tackling the implications of the coronavirus outbreak, but care should be taken to avoid failure to meet deadlines associated with responding to individual rights requests. If an organization is concerned that it may not be able to meet such deadlines, this should be communicated to the relevant individuals as soon as possible.
- Local law requirements and guidelines: EU Member States each have their own data protection laws, and organizations with operational activities beyond France will have to take into account these other national laws, together with any guidance issued by local regulators.
- Remote working policies: With many organizations encouraging, or mandating, individuals to work remotely, now would be a good time for organizations to review and (if necessary) update remote working policies, and to remind personnel of the requirements of these policies.
- Data security: In light of the current context, it will be particularly important for organizations to maintain a close watch on system security and developing cyber threats.14 Personal data and SCD must be adequately safeguarded, and the more sensitive the data that are being processed, the more robust the applicable security measures must be to protect such data.15 Additionally, organizations must ensure that they continue to meet the deadlines for notifying data protection regulators (and individuals, as necessary) of personal data breaches that trigger the notification requirement.16
- Third-party data sharing: It may be necessary to share the new personal data being collected with third parties (e.g., IT service or healthcare providers) for data processing purposes, or in relation to certain contractual obligations (e.g., under insurance contracts). Data processing agreements compliant with the requirements of the GDPR should be entered into with the relevant third parties.
- Voluntary disclosure by affected data subjects: If data subjects affected by COVID-19 have manifestly rendered public17 their health data, the processing of such personal data by third parties is lawful.
- Personal data of deceased data subject: Although the GDPR expressly excludes such data from its scope of application,18 the principles relating to the processing of personal data are exceptionally likely to apply to the disclosure of data of deceased persons, in cases where the disclosure of identifying elements of persons who died from COVID-19 may lead to the indirect identification of living natural persons who were in contact with them.19 Unlike the GDPR, the FDPA expressly rules on the processing of data after the death of the data subject20and notably states that such data may be processed for research purposes, study or evaluation in the area of health, unless the data subject, during his/her lifetime, expressed his/her refusal in writing.21
4. Monitor regulatory guidance issued in response to the coronavirus outbreak
Data protection regulators have shown that they are aware of the challenges organizations face in responding to this evolving crisis and the associated data protection compliance obligations.
The European Data Protection Board ("EDPB") has stressed that data protection laws in the EU do not, and should not, hinder the response to the COVID-19 pandemic, but has issued a reminder to all organizations subject to the GDPR that they must remain compliant with their obligations under the GDPR (and associated legislation, such as the ePrivacy directive). The EDPB has also acknowledged that an emergency such as this is a "legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period."22
The CNIL published a reminder of the principles governing the processing of personal data in the context of COVID-19. The CNIL in particular recalls that in France, these data are subject to special protections, notably under the Labor Code and the Public Health Code. If this health crisis requires all actors to be particularly vigilant, the CNIL invites individuals and professionals to follow the recommendations issued by health authorities and to collect only the data on the health of individuals that has been requested by the competent authorities. The CNIL also notes that multiple health actors are willing to implement research projects on COVID-19 very promptly. In such context, the CNIL declared that these requests for authorization will be processed as a priority. On employment-related issues, the CNIL insists that employers should not take measures that could infringe the privacy of data subjects, in particular by collecting data concerning health that would go beyond the handling of suspected exposure to the COVID-19 virus. The CNIL recalls that employers must refrain from collecting, in a "systematic and generalized manner", or through individual inquiries and requests, information relating to potential symptoms of their employees, agents and their relatives. Hence, the CNIL recommends against implementing mandatory body temperature records for each employee, agent or visitor to be sent on a daily basis to their superiors, or to collect medical records or questionnaires from all employees or agents.23
In addition, the CNIL recently reminded the French government that the use of geolocation/location data must respect the fundamental rights and freedom of individuals. These recommendations24 were formulated on 25 March 2020, following the implementation of the Committee for Analysis, Research and Expertise (Comité analyse recherche et expertise), which was appointed to examine "the opportunity to implement a digital strategy for the identification of persons" especially through measures for the monitoring of movements to combat COVID-19. The CNIL points out that, in order to limit the impact on individuals, the State must "give priority to the processing of anonymised data and not to individual data", when it is possible to meet the purpose of the processing. In cases when individual monitoring appears necessary, it "should be based on a voluntary approach by the data subject". In any case, the French government shall ensure that the objectives of any tracking device are objectively and precisely defined. Lastly, the CNIL recommends legislative intervention to amend the applicable law if the State is willing to implement more advanced tracking measures without the prior consent of the data subjects.
Organizations should continue to monitor guidance issued at a European level by the EDPB, as well as the guidance of national data protection regulators in the countries in which they have a presence.
1 The World Health Organization declared the coronavirus disease (COVD-19) outbreak a pandemic on 11 March 2020.
2 For more information on the various compliance requirements imposed by the EU General Data Protection Regulation on organizations processing data, please see our GDPR Handbook
3 For further information on the local laws implementing the GDPR in each EU Member State, please see our GDPR Guide to National Implementation.
4 See Article 35 of the GDPR and Article 62 of the FDPA.
5 See the list of special circumstances where a DPIA is required, issued by the CNIL and dated 11 October 2018, as well as guidance issued by the European Data Protection Board on the types of processing activities that are likely to trigger the requirement to conduct a formal DPIA.
6 See Article 6 GDPR and Article 5 of the FDPA.
7 See the CNIL guidance on conducting a "legitimate interests" assessment.
8 The European Data Protection Board, in its Statement on the processing of personal data in the context of the COVID-19 outbreak, confirmed that the GDPR does not prohibit the use of personal data for responding to the COVID-19 virus outbreak, and noted that it is in the "substantial public interest".
9 The European Data Protection Board, in its Statement, considers that the "GDPR also foresees derogations where there is the need to protect the vital interests of the data subject (Art.9.2.c), as recital 46 explicitly refers to the control of an epidemic".
10 Article L. 4121-1 of the Labor Code.
11 In its publication "Coronavirus (Covid-19): CNIL reminders on personal data collection".
12 See the European Data Protection Board Guidelines on Consent under Regulation 2016/679, in particular, section 3.1.
13 The position is supported by the European Data Protection Board in its Statement on the processing of personal data in the context of the COVID-19 outbreak.
14 In the wake of the COVID-19 pandemic, there has been a significant rise in coronavirus-related malware and phishing scams (as detailed here and here).
15 See Article 32 GDPR, and Articles 4-6 and 121 of the FDPA.
16 See Article 33 GDPR and Article 58 of the FDPA. Organizations subject to the NIS Directive and relevant national implementing legislation should also remain cognizant of the breach notification obligations imposed by this law.
17 See Article 9 (2) (e) of the GDPR and Article 6-II of the FDPA.
18 Recital 27 of the GDPR provides that if "This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons".
19 See Guidance by the Greek Hellenic Data Protection Authority (HDPA).
20 Article 85 of the FDPA.
21 Article 86 of the FDPA.
22 See the European Data Protection Board Statement on the processing of personal data in the context of the COVID-19 outbreak.
23 CNIL publication dated 6 March 2020 "Coronavirus (Covid-19): CNIL reminders on personal data collection".
24 Please note that the content of these recommendations is not yet publicly available, hence our citations refer to press articles, e.g., https://www.usine-digitale.fr/article/covid-19-la-cnil-s-inquiete-du-pistage-massif-de-la-population.N946491; and https://siecledigital.fr/2020/03/27/covid-19-la-cnil-sinquiete-dun-potentiel-tracage-numerique-en-france/
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP