As the coronavirus pandemic has spread throughout Europe, data protection authorities (DPAs) have faced questions about how far employers and other organizations—including schools, apartment blocks, and shopping centers—can go in terms of asking people personal and medical-related information to protect the rest of the public at large.
And despite the fact the European Union has one single, overarching piece of stringent data privacy legislation—the General Data Protection Regulation (GDPR)—several of the 28 EU member states have taken views that are not wholly consistent with the rest of the pack.
While all DPAs agree that only “essential” information should be collected and shared, there appear to have been varying levels of tolerance as to what “essential” might cover.
DPAs in France and Italy, for example, made clear signals very early on that employers should not actively collect information about their employees’ state of health or ask questions about where they had traveled to, or the health and wellbeing of their family and friends.
Other DPAs, such as those in Denmark and Ireland, said that while sensitive personal data could legally be collected and disclosed under the GDPR, they also stressed the importance of assessing whether such processing is legitimate and limited to what is necessary. The U.K.’s Information Commissioner’s Office, meanwhile, said data protection didn’t prohibit employers from asking questions, or from notifying colleagues, but warned that organizations shouldn’t ask for more information than necessary and reminded them to apply typically “appropriate safeguards.”
Lawyers have said the lack of consistency might have led to greater confusion among companies about how they could legitimately ask pertinent health-related questions to employers and third parties without breaching the GDPR and other privacy legislation.