Privacy: data protection regimes evolve in midst of Covid-19 pandemic

Lucy TrevelyanFriday 18 December 2020

The Covid-19 pandemic has created novel data processing activities and issues for companies worldwide to handle while still complying with data protection legislation.

Track and trace systems, contact tracing apps, mass data sharing and the movement of significant parts of the workforce to remote working mean that privacy impact assessments and data protection impact assessments, for example, have often been carried out under significant time pressure.

In-house lawyers and privacy professionals should ‘carry out assessments to understand the proposed activities, their purpose, necessity and proportionality and, where required, implement reasonable and proportionate compliance and risk mitigation solutions’, says Antonis Patrikios, a partner in Dentons’ London office.

Patrikios highlights that while privacy is important, it needs to be balanced against other public interests such as health and safety, public health and the economic wellbeing of individuals, companies and states. ‘It is also important to understand regulatory expectations and market practice’, he adds.

Employers were expected to do their best, and, provided they did so, were reassured that the ICO would grant them some degree of leeway to cope with the new situation

Jonathan Compton
Partner, DMH Stallard

Given the shift to remote working, monitoring employees’ activities is difficult when they use their privately owned devices for work, says Takashi Nakazaki, Vice-Chair of the IBA Data Protection Governance and Privacy Subcommittee and special counsel at Anderson Mori & Tomotsune, Tokyo.

‘Although monitoring is technically available through the installation of software, an employer would be required to notify its employees and obtain their consent prior to installation’, he says.

The pandemic has created a need for home working policies, for example to ensure that data is being handled as securely at an employee’s home as in the office.

Employee health issues have also arisen. ‘The EU General Data Protection Regulation (GDPR) requires additional justification to collect special category data (including health data)’, explains Mark Blunden, a partner leading the technology and commercial team at Boyes Turner. ‘While one of the justifications is the protection of public health, this is still subject to the principle of proportionality.’

Blunden says that businesses have had to consider how to react when Covid-19 cases arise in their places of work, and decide whether they need to require other members of the workforce to isolate and communicate with government tracing initiatives.

‘Some have needed to ask staff to isolate at certain venues to provide services or to undergo a regime of testing, thereby generating special category health data on them’, he says.

In December, the UK became the first Western jurisdiction to administer a Covid-19 vaccine to its population. There has been discussion as to whether individuals might require vaccination for entry into certain settings. This would require consideration of how to ensure effective compliance with GDPR standards, says Blunden.

The quality of guidance and enforcement approaches adopted by data protection regulators during the pandemic appears to have differed somewhat between jurisdictions.

The UK’s Information Commissioner's Office (ICO) has deployed a common sense approach to data control and management, says Jonathan Compton, a partner at DMH Stallard. It has provided a security checklist to help employers with simple means to identify data vulnerabilities, top tips for working from home and guidance on the NHS Covid-19 contact tracing app.

‘Employers were expected to do their best, and, provided they did so, were reassured that the ICO would grant them some degree of leeway to cope with the new situation’, says Compton. ‘For those who behave with cynical motives or whose actions exploit others, the penalties are severe.’

By contrast, says Kirsten Thompson, a partner at Dentons in Canada, public statements issued by the privacy regulators in Canada were largely vague, saying that ‘during a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing’.

‘Investigations and enforcement continued, including the commencement and prosecution of an anti-spam violation with a penalty amount that would have bankrupted a company already rocked by Covid-19’, she adds. ‘The approach of the privacy regulators did not, at least initially, seem proportionate.’

In June, the European Commission reported on GDPR’s operation so far, and referred to the need for further harmonisation and the creation of a unified, single data space.

‘It also recognised some reports that small and medium businesses (‘SMEs’) are finding the requirements particularly burdensome’, says Blunden. ‘The Commission did not propose changes, but did say it would consider amendments to set the age for children to consent to the use of their data, and whether to make amendments in relation to SMEs engaged in low risk processing.’

Overall, the GDPR is operating well and sets out the right principles for regulating privacy and data protection, believes Patrikios. ‘This is evidenced by the fact that many other countries outside the EU that are implementing data protection laws are modelling their national laws on the GDPR.’

In June, Japan amended its data privacy law, the Protection of Personal Information Act, bringing it closer in line with the GDPR, so that Japan and the EU will recognise the adequacy of the other’s data privacy regime.

These amendments introduce the concept of personal related information, says Nakazaki, and will ‘regulate the use of online identifiers, such as cookies, for marketing activities, and will affect the online advertising business, including targeted advertising. The amendments will also make it easier for individuals to demand that business operators cease using their personal data.’

In Canada, Bill C-11 was introduced in November. The Bill aims to replace the Personal Information Protection and Electronic Documents Act (PIPEDA) with a Consumer Privacy Protection Act (CPPA).

‘The CPPA is modelled on the GDPR because it is representative of global trends in personal information regulation and it permits transfers of EU personal information to jurisdictions with privacy legislation determined by the EU to be “adequate”’, explains Thompson.

‘PIPEDA has long enjoyed adequacy status, but in the absence of amendments, it is likely that the adequacy status of PIPEDA would be at risk, jeopardising transfers of personal information from the EU’, she explains.

Thompson highlights that while many of the concepts enshrined in the GDPR are much needed in PIPEDA to address the challenges created by new technologies and the digital economy – and to maintain adequacy status under the GDPR – there is little appetite for the compliance burden associated with the wholesale adoption of the GDPR itself.