After weeks of shelter-in-place orders around the world, some governments and public health authorities are working on exit strategies. Digital technologies and data are deemed to play an important role in that respect, with many European and other countries adopting or planning to adopt mobile contact tracing applications.

In the recent past, the sense of

In early April, the Robert Koch Institute, which is a Federal Institute on behalf of the Federal Ministry of Health, released a COVID-19-App (the “App”). The purpose of the App is to help the Government understand the spread of the virus geographically based on the likelihood of COVID-19 symptoms experienced by App users, and to better estimate the possible number of undetected COVID-19 infections.

A detailed Q&A was made available to users[1]. Interestingly, the App is called “Corona Data Donation App” to emphasize that data is given freely by users.

Continue Reading COVID-19-App Released in Germany

There is a lot of uncertainty as to when the Brazilian Data Protection Law (No. 13,709 – “LGPD”) will come into force. Such uncertainly has been significantly increased due to the current scenario of Covid-19. However, data protection compliance projects should not be postponed or implemented superficially, especially considering (i) their direct impact in a

The fight against the COVID-19 pandemic lead to the deployment of unprecedented responses by states and organizations; from “data against corona” initiatives (i.e., use of “anonymized” and “aggregated” mobile data as part of monitoring the success of in-shelter rules) to employers around the globe eager to protect their workforces and launching corona-investigations (inquiring about personal travels, imposing self-quarantine measures, etc.).

Even more in stretched times, attention shall be paid to the balancing of those initiatives against the fundamental right to privacy of individuals. In this context, many national data protection authorities in the European Union and the United Kingdom issued guidelines on the processing of personal data as part of the COVID-19 crisis in an effort to define what is possible and what is not.

We summarize below the approach taken in relation to three aspects of employee-privacy, namely: the opportunity for employers to request employees to disclose symptoms, the conduct of examination of employees and, finally, the disclosure of affected employees’ identity to peers.

A snapshot is provided for Belgium, France, Germany and the United Kingdom. For a broader review of cybersecurity and data privacy aspects in relation to COVID-19, please read our Legal Update on the subject.

Enjoy the reading.

Diletta De Cicco and Charles Helleputte

Continue Reading COVID-19 and Employees’ Privacy: Capita Selecta

The novel COVID-19 virus has exposed businesses to dynamic cyber threats and data privacy challenges—and accompanying legal risks.

The rapid expansion of remote work and associated strains on employees have created new opportunities for cyber criminals. Further raising risk, critical company systems and data may be exposed by increased remote access, and it may be harder for companies to respond effectively to cyber incidents. As a result, cyber criminals are seeking to exploit COVID-19 through phishing scams, ransomware, business email compromises, and other attacks. For example, one Russian criminal group has been associated with malware that uses a legitimate COVID-19-related map produced by Johns Hopkins University while seeking to steal user passwords.[1] The U.S. Department of Health and Human Services reportedly recently suffered a distributed denial of service attack.[2] And Brno University Hospital, one of the largest COVID-19 testing centers in the Czech Republic, reportedly suffered a cyberattack that shut down its computers, and led to cancelled operations and patient relocations.[3] (Please see our prior alert on phishing campaigns in Hong Kong.)

Continue Reading Managing Cybersecurity and Privacy Risks Through COVID-19

The question of whether staff have a right to know if a colleague has become infected with the virus brings two separate duties into conflict. On the one hand, the employer owes a duty to take reasonable care of its employees’ health. On the other hand medical information is sensitive personal data and as such there are limited circumstances in which it can be disclosed to third parties without the consent of the data subject, i.e. the employee infected with the virus.

Continue Reading UK – Right to Know

In light of the current COVID-19 crisis and the uncertainties connected therewith, many employers wonder how they can best protect their staff.  Where possible, employees are encouraged to work from home.  However, there are several businesses and tasks for which a remote workspace is not an option.  A measure regularly proposed and implemented in these cases is compulsory temperature testing for employees at the entrances to a site or building, with a subsequent refusal of entry for employees with an elevated temperature or refusing to test.

In Germany, this approach poses several risks under German data privacy law.

Continue Reading Compulsory Temperature Testing and the Protection of Employee Data