Technology may allow companies across Europe to open more quickly and protect the health of employees as they try to rebound from coronavirus lockdowns.
It might also mean they end up in court.
With lockdowns lifting, many employers plan to use systems, including fever-detecting thermal cameras, mask-checking systems and corporate contact-tracing devices, to help prevent new Covid-19 outbreaks. But in the
“At the moment it’s a bit like the Wild West,” said
But some of those decisions, she said, are being made with a risk that courts will later find that they were ill-considered when the crisis passes.
Data protection violations alone could lead to fines of as much as 4% of a company’s annual sales under the EU’s General Data Protection Regulation, or GDPR. But firms are also bumping up against employment laws that could bring penalties or, in rare cases, jail time for executives, if they’re found to have insufficiently protected workers’ safety.
Lack of Consistency
GDPR and privacy watchdogs have been surprisingly flexible during the crisis on the use and collection of data to protect people’s health and stem the infection’s rapid spread across the EU. Still, there are limits on how much data can be collected or how long it’s stored. Even though data-protection rules are harmonized, national watchdogs may have different views on how far employers can go.
“There is very often a lack of consistency” from national regulators, said
Lawyers argue that the devil is in the details. While the use of manual scanners that don’t record data probably carry little GDPR risk, a thermal video camera could.
“Covid is a painful example of how much of a lack of harmonization there still is despite the GDPR and despite many regulatory and legislative efforts to try to harmonize the rules,” De Cordier said.
There are other dangers in a rapid roll-out of technologies like fever-detection cameras, which could force employees, who might have a relatively higher body temperature or fever due to a non-infectious disease, to divulge it to their employers against their will. Corporate contact-tracing apps, meanwhile, could give employers insight into which colleagues congregate together.
Such privacy issues concern most multinationals, lawyers said, but given the region’s tough legal standards, Europe may be the source of many challenges.
“If you’re going to get a problem anywhere, it’s very likely to be in Europe,” said
With some workers already going back, businesses often don’t have enough time to complete the legal analysis necessary to justify the collection of workers’ health data -- dubbed data protection impact assessments -- before using the technology, Jeffery said.
Typically, organizations would obtain a person’s consent to process personal data. But an imbalance of power in a workplace means workers can’t truly give free permission, so employers need other lawful justifications for collecting information.
“We really need to invite our clients to be prudent, because you can’t anticipate how regulators will react,” said Satya Staes Polet, a lawyer specializing in data-protection issues at Freshfields Bruckhaus Deringer in Brussels.
(Adds regulator comment in seventh paragraph.)
To contact the editors responsible for this story:
© 2020 Bloomberg L.P. All rights reserved. Used with permission.