On the birthday of the GDPR, we need to defend privacy rights against the strategy of companies, and authorities that want to challenge or waive them due to the Covid-19 outbreak, assuming to better protect the public interests.
Another year of GDPR just passed, and there has never been a time when data protection rights have been so much under scrutiny. I cannot count any more privacy inhouse counsels mentioning that their top managers declared that
they don’t care about privacy…
since they want to protect their employees. Also, countries like Hungary are even halting some privacy rights during the current emergency.
The need to fight against the Covid-19 outbreak seems to justify any sort of check on any individuals and the collection of any data, with the assumption that deeper checks and more data mean safer employees. Employers want to know everything about everyone and be able to inform anyone about everything…
whatever it takes
pronounced by Mario Draghi when he announced the policy of the European Central Bank to preserve the euro during the 2012 financial crisis has been invoked many times.
But are companies doing their employees’ interests? Are we sure that collecting as much data as possible from as many employees as possible is the right approach? What happens if data relating to the Covid-19 infection or other diseases are known to other employees, is there a risk of discrimination? Are we sure that employees will be willing to work with colleagues that used to be infected? Is there a risk of long term adverse effects on the career of employees that go beyond the Covid-19 emergency? And, above all, is it so difficult to ensure that the same process is performed in a privacy-compliant manner?
Data protection law compliance is often seen as a limitation to the strategy of companies. It prevents collecting any data from any person without informing them of how and when they are collected. But, some data protection authorities have shown an open-minded and reasonable approach.
For instance, the initial approach of the Italian privacy authority was against any sort of indiscriminate check on employees. But now, with the growth of the coronavirus check, it also allowed the performance of serological Covid-19 tests on employees. However, it required they are run under the control of the occupational doctor that will act as a data controller and will comply with the confidentiality obligation of his role.
The same Garante held in the past that if an employee is infected by coronavirus, he needs to inform the employer. Therefore, in the scenario above, employers will only know if and when one of their employees is infected. Still, if the other employees are not infected, they will not know anything about them.
Likewise, having questionnaires tracking any possible information about employees, even if they are not indicative of risks, and devices keeping the history of any contact, regardless of whether they are relevant and even though most governments are adopting their contact tracing Apps, are not satisfying a public interest. These moves are indicative of a situation of “panic“, where the risk is to harm employees, rather than protecting them.
Happy birthday, GDPR. In a state of emergency, data protection rights need to be preserved and emphasized, rather than being waived or challenged.