As the COVID-19 pandemic continues to affect workplaces throughout the world, employers are considering new ways to ensure a safe workplace when employees return to the office. Outside the US, employers must balance their duty of care to protect the health and safety of all their employees with safeguarding employees’ privacy and complying with data protection regulations. Many employers already have analyzed whether they may require or request employees to (i) submit to COVID-19 testing at the workplace, (ii) certify certain health information regarding exposure to COVID-19 and (iii) wear a face covering in the workplace. Another relatively recent development employers outside the US may wish to consider is whether they may require or request employees to download a COVID-19 contact tracing application to their smartphones to track employees’ movements and contacts to enable employers to alert employees if they have been exposed to a co-worker with COVID-19.
Consent in the Employment Context
Requiring or requesting employees to download a contact tracing application raises data privacy issues. To start, in the EU and elsewhere processing employee personal data, including location data, generally requires employers to obtain employee consent. As such, using an employer-sponsored COVID-19 contact tracing application must be voluntary. But it is very difficult for employers in the EU and other countries to demonstrate that employees’ use of the application actually is voluntary. This is because those jurisdictions view consent skeptically in the employment context because of the perceived unequal bargaining position between employers and employees.
There may, however, be a way to implement contact tracing through use of a mobile phone application that is legally complaint with the General Data Protection Regulation (“GDPR”). Under the GDPR, EU employers may process employees’ personal data when necessary for employers’ legitimate interests or the legitimate interests of a third party, unless there is an overriding reason to protect the individual’s personal data. In addition, employers must comply with GDPR rules when processing special category (sensitive) data, which includes health data. To ensure that employers’ processing of special category data is lawful, employers must first identify an Article 6 basis for the processing, and then must meet one of the specific conditions in Article 9, which includes explicit consent. To establish explicit consent under the GDPR, the consent must (i) be a clear statement (oral or written), (ii) specify the nature of the special category data and (iii) be separate from any other consent.
Prior to rolling out a COVID-19 contact tracing application, employers should analyze whether such an application is permissible in specific jurisdictions. Some countries, including Australia, India, Japan, Singapore, Spain and the United Kingdom, among others, have state-sponsored applications and also allow employers to request employees to download a workplace contact tracing application. Government applications are not necessarily widely used (as is the case in Spain and the UK); therefore, an employer-specific application, although arguably redundant, may actually provide better workplace contact tracing and with it, better employee health safeguarding.
There are some countries, however, which ban contact tracing applications. In Luxembourg, for example, the National Commission for Data Protection has stated that employers should not use contact tracing applications to process employee data. After national debate, Luxembourg decided not to develop a national contact tracing application. The decision applies to employers, who if they do not comply, may be subject to fines and/or criminal sanctions.
In other countries, including France, Germany and Ireland, where the government has rolled out a state-sponsored COVID-19 contact tracing application, employers likely face an uphill battle in demonstrating that a workplace application is necessary and proportionate in light of data privacy laws.
To minimize data privacy issues, EU employers should provide employees with a detailed notice statement that contains specific information regarding the purpose and scope of the data collection and includes an employee acknowledgment. This detailed notice statement should not be a “one-size-fits-all” form, but instead should be tailored for specific circumstances.
Where an employee can work from home, but may wish to return to the workplace, employers may consider making an employee’s return to the workplace contingent on their downloading the employer’s contact tracing application. In such case, and as a best practice, employers still should provide employees with a specific, detailed notice statement that informs employees of the purpose and scope of the data collection and should obtain the acknowledgement.
Where workplace contract tracing applications are permitted, providing employees with written disclosure and obtaining their acknowledgement and consent should minimize the potential for data privacy claims.
In the end, whether employers should require or recommend employees to download a contact tracing application depends upon both practical and legal issues. Employers should be aware of type and size of the workforce that they have in specific jurisdictions. While some employees may think that the application is a cool gadget, others may have privacy concerns. Local teams may be in the best position to assess this risk.
Epstein Becker & Green continues to monitor workforce management issues in the US and abroad.