Docket Entries Since Last Update
NOTE: This court's RSS feed does not list MOTION entries, so Bloomberg Law cannot detect them and thus they will not be listed here. However, motions will be included if you update the docket.
Contributed by Francesca Gaudino, Baker McKenzie
The emergence of Covid-19 and its rapid spread through Italy is testing the country in many ways. People question whether the GDPR, the European data protection framework, is hindering or fostering the fight against this pandemic. There are many reasons why it is difficult to find a balance between health and safety and data protection rules. While the EU data protection authorities are providing guidance, it is scattered rather than uniform.
In March 2020, Italy's Data Protection Authority, Garante, issued guidance on collection and use of personal data in relation to pandemic. Other European data protection authorities followed suit, including Germany, France, Ireland, the UK, and Spain. The common factor contained within each jurisdiction's guidance is the intent to avoid massive and unjustified collection of data, particularly health data.
The overall message and rationale behind the Garante's guidance is to avoid do-it-yourself initiatives and instead leave the handling of the crisis to competent government and health authorities. From a privacy perspective, the more is not the merrier -- an increase in data collection entails higher risks in terms of data security and possible abuse of data.
The Italian government, employers, and labour union organizations have issued a protocol in order to address the escalating emergency. In doing so, the protocol allows these entities to take actions that the Garante had previously only allowed competent authorities to engage in, such as temperature checks and delivery of questionnaires to enter buildings.
The change in process is not a total contradiction -- procedures such as temperature checks and questionnaires have been condemned by the Garante when done as independent initiatives of employers, resulting in a scattered collection of data. The new protocol allows (and actually mandates) the same conduct, but these actions now have uniform rules with specific obligations imposed by competent authorities in an emergency situation. The scenario is thus changed, even if the measures taken are the same.
More specifically, the protocol allows employers to collect in real time employees' and visitors' temperatures before entering their premises, preventing access to those whose temperature is higher than 37.5 degrees Celsius. Since temperature checks constitute data processing, specific measures must be undertaken to ensure the data is protected. For example, the dignity and privacy of employees and visitors should always be respected (in terms of how and where the temperature checks are performed) and proper information should be provided along with identifying and documenting the limited purpose reasoning for banning individuals from entrance to the premises (i.e., it is permissible to record details of people with temperatures above the 37.5 degree threshold). Employers should provide employees and visitors with proper privacy notices, which can omit information already known to the individuals and which may be provided orally.
The privacy notices should:
• identify the prevention against the Covid-19 outbreak as the processing purpose;
• explain the legal basis for processing the information in the implementation of the anti-outbreak security protocols; and
• set the data retention period to coincide with the termination of the emergency status.
Data may of course be processed for the limited purpose of prevention against the Covid-19 outbreak. It cannot be disclosed or shared with third parties, except under specific legal provisions, such as in cases where competent authorities request to map the chain of possible contagion. Data may be retained only until the emergency ceases.
For collection of personal data though questionnaires and self-declarations, the protocol requires employers to inform employees and visitors that access to employers’ premises is not permitted to anyone who travelled in the previous 14 days to high-risk zones (as defined by the World Health Organization) or had contacts with individuals affected by Covid-19. Declarations, self-assessments, and gathering information is acceptable, provided no further information is collected (i.e., information about recent travels should not include questions about specific places visited, nor should information about contacts include details about affected individuals. In practice, only yes or no questions should be permissible).
A key concern is whether employers can share the identities of infected people with other employees or third parties. The protocol says that in cases where an employee has a temperature and symptoms of breathing infection such as a cough, employees should immediately inform their HR department and should be isolated, together with others who may be present in the same location. Companies must collaborate with the health authorities to define the map of possible ‘close contacts’ of a person who tests positive with Covid-19. Employers may require the close contacts to isolate from the company while investigations are in process, per health authorities’ instructions.
The activities relating to health surveillance should continue per applicable laws and the specific measures set forth by the emergency provisions. Company doctors should closely collaborate with their employer and the workers' representatives to identify and adopt Covid-19 related measures.
Company doctors should inform the employer about specific vulnerabilities, situations, and current or previous diseases of employees, and the employer should provide for their protection, respecting privacy issues. The company doctors should apply the procedures of the health authorities. Companies should set up a dedicated committee to apply the protocol, with the participation of works councils and workers' representatives.
In conclusion, while the right to data protection is a fundamental individual right, it may be compressed or limited in emergency situations, such as the current pandemic. Even though extraordinary circumstances may allow exceptions to data protection rules, there are key principles which must always be considered and complied with, including the principles of proportionality, necessity, reasonableness, transparency, and accountability.
What can or cannot be done should be assessed based on applicable emergency laws and a case-by-case assessment. It should be emphasized that this balancing of interests should consider ‘traditional’ data protection and security elements, but also the fact that uncontrolled disclosures and distasteful use of data may trigger negative stigmatization, involving serious issues in terms of discrimination and social prejudice. It is important that the data gathered to contain the spread of coronavirus only be used in a fair and lawful manner.