How Privacy Laws Shape COVID-19 Reopening Plans
Two weeks ago you were furloughed from your job in San Francisco. You’re still on the company’s health care plan—but are struggling to pay rent, and are worried that these health benefits will vanish if your employer goes out of business.
During a Zoom call with your friend in Milan, she tells you that the Italian government may issue “Immunity Certificates” that would allow people who have recovered from COVID-19 (and are probably immune from further infection) to return to work. You respond that the US reopening plans, under current CDC guidance and California’s Roadmap, require employers to conduct regular health checks on employees and visitors. While both countries want to safely reopen their economies, they will likely allocate screening responsibilities differently – with substantial effect on privacy.
Which privacy rights can you and your Italian friend expect? Isn’t privacy a fundamental right in both countries? Isn’t health data personally identifiable information that privacy laws are supposed to protect? In the US, are employers really allowed to perform or require medical examinations?
Your friend tells you that privacy is more highly prized (and more tightly regulated) in Europe. Therefore, medical screenings by employers—a strategy widely relied on in China and part of most reopening plans in the United States—is not a viable option across much of Europe.
Privacy must be balanced against other fundamental rights
While the EU considers privacy to be a fundamental right (and the US considers it to be important) this right is not absolute. It must be balanced against freedom of speech, the right to life, and other fundamental rights. For instance, your privacy rights don’t prevent the TSA from searching you (and your luggage) before a flight. You could, of course, refuse to be screened, but if you did, you would not be able to fly. With COVID-19, a similar balance must be struck between individual privacy and public health.
COVID-19, your employer, and the right to privacy
When it comes to processing personal information, Americans do not have a general right to privacy because the United States does not have a comprehensive privacy law. Rather, the US has a sectoral approach to privacy and only some types of personal information — such as health data or information relating to children or disabilities — receive protection under federal privacy laws. Also, most privacy laws only apply to certain “covered entities.” Take HIPAA, the main privacy law regulating health data, as an example. Employers are not considered a covered entity (and thus do not have to comply with HIPAA’s strict privacy and security rules), even when collecting sensitive health information such as results of COVID-19 medical examinations.
That does not mean, however, that employers are not subject to other privacy requirements. Employers do have to comply with the ADA, which governs their ability to ask for medical exams. Generally, a mandatory medical exam must be “job related and consistent with business necessity.” Current ADA guidance makes clear that “employers may take steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others.” Thus, employers are authorized to ask and screen for COVID-19 symptoms as long as it is consistent with advice from the CDC and public health authorities and some privacy rules are adhered to. Employers must keep information relating to all medical examinations confidential and maintain such information in medical files that are kept separately from general employee records. Clearly, these privacy protections are not very extensive. On a related note, the federal privacy standards for COVID-19 testing sites are even lower because the U.S Department of Health and Human Services has waived all HIPAA rules for COVID-19 testing sites that are acting in good faith. As a result, none of the strict HIPAA privacy and security requirements will be enforced at those sites. Given this turn of events, it is unclear what privacy protections American residents might expect at COVID-19 testing centers.
Even California, which has the strictest privacy laws in the United States, offers little privacy protection to employees. Almost presciently, due to an October 2019 amendment to the California Consumer Privacy Act (CCPA), even these laws whose restrictive provisions came into effect on January 1, 2020, will not apply to employers or protect employees until January 2021. Until next year, companies will not have to comply with the CCPA when it comes to employee data, with two exceptions: first, employers must have reasonable security measures in place to safeguard personal information, and second, they must disclose the categories of personal information they collect about employees and job applicants, along with the business purposes for using such personal information.
In combination with existing federal requirements, this delay in the implementation of the CCPA means that California employers may ask for or conduct health examinations as long as they: (1) disclose the types of personal information that they collect (and identify the reason it is collected); (2) keep the results of medical examinations confidential; (3) store them separately from that individual’s general employee records; and (4) use security measures to safeguard the personal information.
European GDPR grants greater personal privacy rights, but reduces government flexibility in response to COVID-19
While the United States is effectively waiving privacy laws in response to COVID-19, the current pandemic does not exempt European government agencies, public organizations, or private companies from adhering to the GDPR’s extensive data protection framework. Health data is considered “sensitive data” under the GDPR, and lawful processing of such data requires the presence of one of the following four criteria to be met: (1) employment law rights and obligations; (2) explicit consent; (3) health (occupational medicine); and (4) public health. The last two grounds for lawful processing are not applicable to most employers because health and public health exceptions may only be relied on if a qualified health professional is involved. Thus, this exception will likely not be available for most employers. Explicit consent will not satisfy the statutory requirement since valid consent requires that the refusal of such consent does not disadvantage the employee.
Thus, employment law rights and obligations will, in most cases, be the only ground that allow an employer to require medical exams. It is important to note, however, that employment law falls under the competencies of the individual member states and differs significantly across the EU. Thus, employers must also check local laws and guidance from respective national data protection authorities.
Your friend in Milan is unlikely to get tested at work, because Italy (and other countries such as Belgium, France, and Hungary), determined that workplace driven health checks are incompatible with existing data protection laws. Even in countries with more permissive national employment laws, the bar remains high. Under the GDPR, the processing of health data must be necessary in order to comply with national statutory obligations. As a result, government entities will likely play a more pivotal role in Europe with regards to processing personal data relating to COVID-19 given that Chinese (and likely American) levels of employer testing would not meet the legal test in most EU member states. In that sense, government-issued “Immunity Certificates” might be the government’s preferred alternative for Italy.
Where would you feel more comfortable?
Cultural norms and privacy laws have direct impact on governments’ reopening plans. Europe’s strict data protection regime protects the privacy of its residents but inhibits the flexibility of these governments to rapidly respond to COVID-19. Most European governments will not be able to rely on employers to conduct or require medical examinations of employees. Meanwhile, federal and local governments in the United States have more leeway when designing their COVID-19 response plans. This flexibility comes at the cost of residents’ privacy rights. The short and long-term impacts of either strategy remain to be seen. Which response would you choose?