As prevention measures against the coronavirus (COVID-19) pandemic bump into the principles and guidelines of the EU General Data Protection Regulations (GDPR), the French Data Protection Authority has reinforced essential rules and good practices for companies to ensure employee personal data protection.
The French Data Protection Authority, Commission Nationale de l'Informatique et des Libertés (CNIL), expressed its views on various issues relating to the consequences of the pandemic on the processing and protection of personal data and on its monitoring activity for 2020.
As a reminder, while the current public health emergency requires all stakeholders to be particularly vigilant, the processing of health data is the responsibility of the health authorities qualified to take appropriate measures in light of the situation. The CNIL therefore asks that individuals and professionals follow the recommendations of the health authorities and collect data on the health of individuals only upon request by the competent authorities.
On April 8, CNIL President Marie-Laure Denis spoke to the French National Assembly's Law Commission. She stressed the importance of data protection issues in the context of the current health emergency.
While each individual must implement measures appropriate to the situation, such as limiting travel and meetings or respecting hygiene measures, an employer may not take any measures that could infringe on the privacy of its employees, in particular by collecting personal health data that would go beyond what is necessary to determine potential exposure to COVID-19.
Indeed, health data is subject to special protections provided by the GDPR, the French Data Protection Law, and the French Public Health Code. As a reminder, according to Article 9.1 of the GDPR, the processing of health data is, in principle, prohibited. It may nevertheless be authorized in a limited number of cases and, in particular, if the data subject freely gives his/her explicit consent.
The question of whether consent is freely given is generally questioned in the context of the employee/employer relationship.
More specifically, an employer may not collect, on a general and systematic basis, or through surveys and individual requests, information relating to the search for possible symptoms presented by an employee or his/her relatives. The employer is therefore not authorized to take the following measures:
However, under Article L. 4121-1 of the French Labor Code, the employer is responsible for the health and safety of its employees. In this respect, it must implement occupational risk prevention measures, information, and training actions, and set up an appropriate organization and resources.
As part of its professional risk prevention actions, to deal with the current pandemic, the employer may do the following:
In the event of a report, the employer may record the following:
The employer may then communicate to the health authorities, on the authorities’ request, the elements related to the nature of the exposure and necessary for any health or medical care of the exposed person.
The employer may also be required to draw up a business continuity plan, the aim of which is to maintain the essential activity of its business. This plan must, in particular, provide for the measures necessary to protect the safety of employees, and identify the essential activities to be maintained and the persons necessary for continuity of service.
Practically speaking, the employer must do the following:
All collected employee personal data must be erased when the health risk disappears.
If one of the employees is in quarantine, the employer must inform the staff representatives and other employees that one of their colleagues is in quarantine without identifying the employee.
All employees, for their part, are obligated, in accordance with Article L. 4122-1 of the French Labour Code, to use all means to protect the health and safety of others and themselves. Employees must therefore inform their employer in the event of suspected contact with the virus, in particular if the employer requests this information. Refusal to reply or to provide this information may be considered a violation of the above obligation.
As this is an extremely fluid and unpredictable situation, a reassessment of the measures taken must be expected in order to ensure the best possible protection of employees, in terms of both health and their personal data.
In the context of the COVID-19 pandemic, teleworking is a solution that requires reinforced security measures to guarantee the integrity of information systems and processed data.
The CNIL therefore recommends that a security charter or, at least, a set of minimum rules to be complied with for teleworking, be drawn up and communicated to employees in accordance with internal regulations.
In the event of a change in information system management rules to allow teleworking (change in authorization rules, remote administrator access, etc.), the risks incurred should be assessed and, if necessary, the necessary measures should be taken. Furthermore, if the services used are accessible online, protocols should be used to guarantee the confidentiality and authentication of the receiving server, using the most recent versions of these protocols.
The CNIL also recommends implementing two-factor authentication mechanisms on remotely accessible services to limit intrusion risks and regularly consulting access logs for remotely accessible services to detect suspicious behavior. Finally, the CNIL recommends not making unsecured server interfaces directly accessible and limiting the number of services made available to the strict minimum to reduce the risk of attacks.
The CNIL also recommends equipping all employees' workstations with a firewall, antivirus software, and a tool for blocking access to malicious sites, and implementing a VPN to avoid direct exposure of services on the internet as soon as possible. It presents all of these measures as a minimum and recommends using the latest versions of such equipment and software.
The CNIL states on its website that it conducts thousands of surveys each year. This program covers the entire year and concerns its other control methods, which are carried out online, on the basis of documents or by mail. In the current context, onsite inspections will most likely be postponed until the end of the pandemic, or at least after the containment measures announced by the French government on March 16, 2020, expire. Nevertheless, CNIL agents remain in operation, remotely, which means that other types of inspections could be implemented (or even replace some inspections initially planned onsite).
For 2020, the French authority has declared that it will focus its action on three main areas:
The processing of health data is considered as "risky" processing because health data is treated as sensitive data and requires special precautions and measures. The CNIL maintains that recent health news (telemedicine, connected health objects, violation of personal data within public institutions) evidences that attention must be paid to the security of health treatments.
Processing involving geolocation data and cookies uses large volumes of data; the CNIL considers that this processing is particularly intrusive in the population’s daily lives. Particular attention should be paid to the evolution of the CNIL's recommendations concerning cookies and other tracers. Indeed, without waiting for the adoption of the future eprivacy regulation, the CNIL already adopted new guidelines in July 2019 and published in January 2020 a draft recommendation submitted for public consultation, which should be adopted soon. After a six-month awareness and adaptation period from the final publication of the recommendation, inspections and punitive actions by the CNIL will follow.
For our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. We also have launched a resource page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: