EU firms find a fine line between privacy laws and worker safety
In the EU, businesses need to manage the risk of hefty data-protection fines and incurring criminal liability over employee safety
Luxembourg/Brussels — Technology may allow companies across Europe to open more quickly and protect the health of employees as they try to rebound from coronavirus lockdowns.
It might also mean they end up in court.
With lockdowns lifting, many employers plan to use systems, including fever-detecting thermal cameras, mask-checking systems and corporate contact-tracing devices, to help prevent new Covid-19 outbreaks. But in the EU, where privacy laws are strict, and health and safety rules can vary by country, businesses need to tread a narrow path to avoid hefty data-protection fines or incurring criminal liability over worker safety.
“At the moment it’s a bit like the Wild West,” said Kerstin Neighbour, global head of the employment practice at law firm Hogan Lovells in Frankfurt. “We’re in a situation where we need to act fast, where employers may feel a need to overstep certain boundaries to basically make sure that the company survives.”
But some of those decisions, she said, are being made with a risk that courts will later find that they were ill-considered when the crisis passes.
Data protection violations alone could lead to fines of as much as 4% of a company’s annual sales under the EU’s General Data Protection Regulation (GDPR). But firms are also bumping up against employment laws that could bring incur penalties or, in rare cases, jail time for executives, if they’re found to have insufficiently protected workers’ safety.
Regulators say there is no EU-wide guidance on the use of virus-prevention technologies at work and what’s permissible can vary across the 27-nation bloc.
Lack of consistency
GDPR and privacy watchdogs have been surprisingly flexible during the crisis on the use and collection of data to protect people’s health and stem the infection’s rapid spread across the EU. Still, there are limits on how much data can be collected or how long it’s stored. Even though data-protection rules are harmonised, national watchdogs may have different views on how far employers can go.
“There is very often a lack of consistency” from national regulators, said Tom de Cordier, a technology and data protection lawyer at CMS DeBacker in Brussels. “In France you’re not allowed as an employer to ask about symptoms, in the Netherlands the same, whereas in the UK, in Sweden, in Spain, Slovakia, you can.”
Lawyers argue that the devil is in the details. While the use of manual scanners that don’t record data probably carry little GDPR risk, a thermal video camera could.
“Covid is a painful example of how much of a lack of harmonisation there still is despite the GDPR and despite many regulatory and legislative efforts to try to harmonise the rules,” De Cordier said.
There are other dangers in a rapid rollout of technologies such as fever-detection cameras, which could force employees, who might have a relatively higher body temperature or fever due to a noninfectious disease, to divulge it to their employers against their will. Corporate contact-tracing apps, meanwhile, could give employers insight into which colleagues congregate together.
Such privacy issues concern most multinationals, lawyers said, but given the region’s tough legal standards, Europe may be the source of many challenges.
“If you’re going to get a problem anywhere, it’s very likely to be in Europe,” said Christopher Jeffery, a partner at law firm Taylor Wessing who advises clients on data-protection compliance.
With some workers already going back, businesses often don’t have enough time to complete the legal analysis necessary to justify the collection of workers’ health data — dubbed data protection impact assessments — before using the technology, Jeffery said.
Typically, organisations would obtain a person’s consent to process personal data. But an imbalance of power in a workplace means workers can’t truly give free permission, so employers need other lawful justifications for collecting information.
“We really need to invite our clients to be prudent, because you can’t anticipate how regulators will react,” said Satya Staes Polet, a lawyer specialising in data-protection issues at Freshfields Bruckhaus Deringer in Brussels.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.