Another Victim of COVID-19: Your Personal Information
As the number of COVID-19 cases and governmental responses pour into our newsfeeds at a dizzying rate, the legal implications follow in kind. This post intends to highlight the emerging data privacy issues and briefly outline some of the latest developments.
Countries without strong data privacy laws—including China, South Korea, Russia, Israel and India—are using technologies like facial recognition and cell phone tracking to identify possible infections and enforce quarantines.[1] The European Union has so far has largely avoided such measures since its exceptionally tough GDPR rules likely require individual consent to implement those tracking procedures.[2] In one notable exception so far (which may foreshadow how other countries respond if their situation worsens[3]), Italy has recently approved emergency provisions to their red tape.[4] The United States, which lacks clear federal data privacy regulation,[5] is reportedly in talks with major data companies about some form of data tracking.[6] Whether governments keep the data anonymized (rather than target individuals) remains a key sticking point for data privacy concerns.[7]
Employers are also struggling as they attempt to balance the privacy of one employee with the safety of the others. When an employee has been infected, EU and U.S. employers can share only a generalized precautionary message to relevant employees, not the identity of the employee—a tricky task in some circumstances.[8] While U.S. employers are allowed to test employee temperatures and ask whether employees have traveled to certain high-risk countries,[9] EU countries have taken diverse and more limited approaches.[10] For example, Italy only allows medical checks to be administered by medical professionals, not by company employees.[11] France rules out temperature checks altogether[12] and Ireland requires proof of “strong justification” before questioning employees about travel.[13] Expect countries to modify these rules as they enter their own “ upward curve” of the pandemic.
With much of their workforce now working remotely, companies are also wary of compromising protected information of its clients and employees, as well as its own.[14] Many businesses lack a robust and secure technological remote interface for accessing and sharing data.[15] Other businesses may have some system in place, but not enough of its employees are sufficiently trained to use it safely or their system lacks the capacity to properly support so many users.[16]
The pandemic especially challenges those companies already in the process of revamping their data protection measures under the new rules implemented under California’s Consumer Privacy Act (CCPA) on January 1. California is unlikely to formally postpone CCPA adoption, as requested by several industry groups, but experts believe good-faith compliance errors relating to the pandemic will not face prosecution.[17]
Healthcare providers and facilities handling coronavirus patients also must carefully follow disclosure regulations relating to a patient’s status. The U.S. Department of Health and Human Services issued an important “bulletin” about patient privacy (governed by HIPAA rules) and the virus.[18] Among other rules, it permits disclosure without patient authorization to and at the direction of certain government authorities, as well as to those at particular risk due to contact with the patient.[19]
As many countries expect conditions to worsen over the coming weeks and months, these data privacy challenges—and new ones—will continue to grow as well.
Footnotes