As the COVID-19 pandemic continues to affect workplaces throughout the world, employers are considering new ways to ensure a safe workplace when employees return to the office. Outside the U.S., employers must balance their duty of care to protect the health and safety of all their employees with the need to safeguard employees’ privacy and comply with data protection regulations.
Many employers already have analyzed whether they may require or request that employees do the following:
- Submit to COVID-19 testing at the workplace.
- Certify certain health information regarding exposure to COVID-19.
- Wear a face covering in the workplace.
Another relatively recent development employers outside the U.S. should consider is whether they may require or request that employees download a COVID-19 contact-tracing app to their smartphones in order to track employees’ movements and contacts. This will enable employers to alert employees if they have been exposed to a co-worker with COVID-19.
Consent in the Employment Context
Requiring or requesting that employees download a contact-tracing app raises data-privacy issues. In the European Union (EU) and elsewhere, processing employee personal data, including location data, generally requires employers to obtain employee consent. As such, using an employer-sponsored COVID-19 contact-tracing app must be voluntary.
But it is very difficult for employers in the EU and elsewhere to demonstrate that employees’ use of the app actually is voluntary. This is because certain jurisdictions view employee consent skeptically in the employment context, due to the perceived unequal bargaining position between employers and employees.
Nonetheless, there may be a way to implement contact tracing through use of a mobile phone app that is legally complaint with the General Data Protection Regulation (GDPR). Under the GDPR, EU employers may process employees’ personal data when necessary for employers’ legitimate interests or the legitimate interests of a third party, unless there is an overriding reason to protect the individual’s personal data.
In addition, employers must comply with GDPR rules when processing “special category” or sensitive data, which includes health data. To ensure that employers’ processing of special category data is lawful, employers must first identify a basis for the processing under Article 6 of the GDPR, and then must meet one of the specific conditions in Article 9, which includes explicit consent.
To establish explicit consent under the GDPR, the consent must:
- Be a clear statement—oral or written.
- Specify the nature of the special category data.
- Be separate from any other consent.
Prior to rolling out a COVID-19 contact-tracing app, employers should analyze whether such an app is permissible in specific jurisdictions. Some countries, including Australia, India, Japan, Singapore, Spain and the United Kingdom, among others, have state-sponsored apps and allow employers to request that employees download them. However, these government apps are not necessarily widely used. Therefore, an employer-specific app, although arguably redundant, may actually provide better workplace contact tracing and with it, better employee health safeguarding.
There are some countries, however, which ban contact-tracing apps altogether. In Luxembourg, for example, the National Commission for Data Protection has stated that employers should not use contact-tracing apps to process employee data. After national debate, Luxembourg decided not to develop a national contact-tracing app. If employers do not comply, they may be subject to fines and criminal sanctions.
In other countries including France, Germany and Ireland, where the government has rolled out a state-sponsored COVID-19 contact-tracing app, employers likely face an uphill battle in demonstrating that a separate workplace app is necessary and proportionate in light of data privacy laws.
To minimize data-privacy issues, EU employers should provide employees with a detailed notice that contains specific information regarding the purpose and scope of the data collection and includes an employee acknowledgment. This detailed statement should be tailored to specific circumstances.
When an employee can work from home but wishes to return to the workplace, employers may consider making the return to the workplace contingent on him or her downloading the employer’s contact-tracing app. In such cases, and as a best practice, employers still should provide employees with a specific, detailed statement that informs employees of the purpose and scope of the data collection and obtain their acknowledgement.
When workplace contact-tracing apps are permitted, providing employees with written disclosure and obtaining their acknowledgement and consent should minimize the potential for data-privacy claims.
In the end, whether employers should require or recommend that employees download a contact-tracing app depends upon both practical and legal issues. Employers should be aware of type and size of the workforce that they have in specific jurisdictions. While some employees may think that the app is a cool gadget, others may have privacy concerns. Local teams may be in the best position to assess this risk.
Erika Collins is an attorney with Epstein Becker Green in New York City. Ryan Hutzler is an attorney with Epstein Becker Green in Washington, D.C.