Tech That Saves EU Firms From Covid-19 Could Kill Them in Court

Technology may allow companies across Europe to open more quickly and protect the health of employees as they try to rebound from coronavirus lockdowns.

It might also mean they end up in court.

With lockdowns lifting, many employers plan to use systems, including fever-detecting thermal cameras, mask-checking systems and corporate contact-tracing devices, to help prevent new Covid-19 outbreaks. But in the European Union, where privacy laws are strict and health and safety rules can vary by country, businesses need to tread a narrow path to avoid hefty data-protection fines or incurring criminal liability over worker safety.

“At the moment it’s a bit like the Wild West,” said Kerstin Neighbour, global head of the employment practice at law firm Hogan Lovells in Frankfurt. “We’re in a situation where we need to act fast, where employers may feel a need to overstep certain boundaries to basically make sure that the company survives.”

But some of those decisions, she said, are being made with a risk that courts will later find that they were ill-considered when the crisis passes.

Data protection violations alone could lead to fines of as much as 4% of a company’s annual sales under the EU’s General Data Protection Regulation, or GDPR. But firms are also bumping up against employment laws that could bring penalties or, in rare cases, jail time for executives, if they’re found to have insufficiently protected workers’ safety.

The European Commission and the group of EU data protection regulators said there’s no guidance that covers the entire 27-nation bloc on the use of such back-to-work technologies, saying it remains up to national privacy watchdogs to check laws are followed.

Lack of Consistency

GDPR and privacy watchdogs have been surprisingly flexible during the crisis on the use and collection of data to protect people’s health and stem the infection’s rapid spread across the EU. Still, there are limits on how much data can be collected or how long it’s stored. Even though data-protection rules are harmonized, national watchdogs may have different views on how far employers can go.

“There is very often a lack of consistency” from national regulators, said Tom De Cordier, a technology and data protection lawyer at CMS DeBacker in Brussels. “In France you’re not allowed as an employer to ask about symptoms, in the Netherlands the same, whereas in the U.K., in Sweden, in Spain, Slovakia, you can.”

Lawyers argue that the devil is in the details. While the use of manual scanners that don’t record data probably carry little GDPR risk, a thermal video camera could.

“Covid is a painful example of how much of a lack of harmonization there still is despite the GDPR and despite many regulatory and legislative efforts to try to harmonize the rules,” De Cordier said.

European Challenges

There are other dangers in a rapid roll-out of technologies like fever-detection cameras, which could force employees, who might have a relatively higher body temperature or fever due to a non-infectious disease, to divulge it to their employers against their will. Corporate contact-tracing apps, meanwhile, could give employers insight into which colleagues congregate together.

Such privacy issues concern most multinationals, lawyers said, but given the region’s tough legal standards, Europe may be the source of many challenges.

“If you’re going to get a problem anywhere, it’s very likely to be in Europe,” said Christopher Jeffery, a partner at law firm Taylor Wessing who advises clients on data-protection compliance.

Prudence

With some workers already going back, businesses often don’t have enough time to complete the legal analysis necessary to justify the collection of workers’ health data — dubbed data protection impact assessments — before using the technology, Jeffery said.

Typically, organizations would obtain a person’s consent to process personal data. But an imbalance of power in a workplace means workers can’t truly give free permission, so employers need other lawful justifications for collecting information.

“We really need to invite our clients to be prudent, because you can’t anticipate how regulators will react,” said Satya Staes Polet, a lawyer specializing in data-protection issues at Freshfields Bruckhaus Deringer in Brussels.

Source: Read Full Article