Data Privacy Laws and COVID-19
March 23, 2020
The attorneys in the Firm's Tech & Data practice group have received numerous questions from clients regarding data privacy regulation concerns. Please see their current analysis of compliance under data privacy regulations as compiled by Member Jason L. Ott and Consultant Derrick L. Maultsby, Jr. below.
During the current spread of COVID-19 (“Coronavirus”), companies are being faced with issues on many fronts, from the most basic questions around safeguarding the health and well-being of its employees to continuing business operations generally and preparing for an uncertain future with the information that they are able to learn with each new day. Even against this unprecedented backdrop, companies cannot lose focus on vital internal procedural and compliance issues, including the growing demands on businesses concerning data privacy laws. Over the past two years, compliance under laws such as the European Union General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) have been a priority for companies around the globe. However, with concerns of customers and employees possibly being infected with the Coronavirus, companies must focus on concerns around the data they are collecting, storing, and processing in response to this global pandemic.
General Data Protection Regulation
As Coronavirus spreads and infects more people, privacy norms are being disregarded. In Asian nations, where the virus initially spread, countries have utilized data from smart phones, clinics, airports, and businesses to trace people’s travel history and whereabouts within the country as well as to determine whether they have visited a hospital or other healthcare facility. The utilization of data and innovation is necessary and has helped Asian countries respond to the spread of the virus. As European countries and the United States begin to address and attempt to handle these growing concerns, companies that receive requests for customer data from governmental officials may be concerned with processing this data and what it means under the GDPR.
Fortunately, this processing of data is likely permissible under the GDPR. Pursuant to Article 6 of the GDPR, the processing of consumer data is lawful even without the data subject’s consent when processing is necessary to protect the vital interests of the data subject or of another natural person, or when processing is necessary for the performance of a task carried out in the public interest. Thus, it is likely that a company with certain consumer data (a “data processor”) would be permitted to provide such data in response to a data request from the government without consumer consent o since the processing of this data would be in support of the vital interest of the data subject and/or carried out in the interest of the public.
California Consumer Privacy Act
Coronavirus is now a national emergency and employers are correctly concerned on how to move forward conducting business while also protecting the health of consumers and employees. Some companies may want to ask their employees to submit health declaration forms that contain personal data such as travel history, recent medical history, and other pertinent information to assess if they are at higher risk of being infected with Coronavirus. Under the CCPA, data processors are required to inform California data subjects of the collection and processing of their data. Consistent with that, the collection and storage of the data referenced above would be proper as long as employees residing in California are provided notice, explaining the categories of personal information collected and the purposes for which the information was collected.