Privacy in the time of a Pandemic

While many have pressed pause on ‘business as usual’ as a result of Covid-19, the importance of privacy and compliance with data protection law has found itself in the spotlight.  Regulators over the past five months have shown that the integrity of data protection is more important than ever in a time where businesses and services have moved online and data is at the forefront of communication, connection and the government’s test and trace.  In this article we set out the recent developments in data protection law and how they have impacted businesses during this Covid-19 pandemic.

Collecting information

Restaurants and pubs have reopened and been asked by the UK government to support the NHS Test and Trace response by collecting contact details of their customers.  As a result, businesses which may not previously have collected personal data must now comply with the applicable data protection laws in order to comply with the Test and Trace. 

As offices reopen businesses are implementing measure to keep their workers safe including following government guidance on returning to work.  Safety measures may include tracking who is in the office and when, routine temperature checks and/or surveys on symptoms, all of which include the collection of employee or visitor personal data.

This increase in the collection and processing of personal data must be done in compliance with applicable data protection law.  Businesses must consider their lawful basis for processing the personal data and consider whether their collection of such personal data is necessary and proportionate for the purpose of protecting customers, employees and/or visitors against the Covid-19 virus.  In addition, the personal data collected should only be processed for as long as is necessary for the purpose for which it was collected and must be stored security.

Schrems II – International data transfers

On 16th July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a mechanism by which to transfer personal data from the EU to the United States.  Businesses can take some comfort as the judgement did state that the Standard Contractual Clauses (“SCCs”) remain valid, although it reinforced the obligation on businesses to verify the level of data protection offered by the importer prior to implementing the SCCs.  For further background on this case, please see here.   

This judgment reinforces the European Commission’s view that the protection of personal data is paramount and that the high standards of protection set by the GDPR should not be compromised.  As such, all businesses relying on the Privacy Shield to transfer personal data to the US should review their data flows and consider what alternative transfer mechanisms are required. 

Age Appropriate Design Code

The Information Commissioner’s Officer’s Age Appropriate Design Code (the “Code”) will come into force on 2nd September 2020 with a 12 month transition period.  The purpose of the Code is to ensure that online service providers implement appropriate safeguards to protect children’s personal data.  The Code introduces 15 standards, which the UK government’s explanatory memorandum has stated are not technical standards but are ‘a set of technology-neutral design principles and practical privacy features’ to put the protection of children’s personal data as a ‘default setting’.

The Code further entrenches the principles of ‘privacy by design’ implemented by the GDPR and the Data Protection Act 2018.  Any business providing online products or services that process personal data and are likely to be accessed by children must implement the strict requirements of the Code in order to comply. 

Cyber Security

Interpol released a report on 4th August 2020 showing the increase in cyberattacks during Covid-19 and a shift in focus of cyber criminals from individuals and small businesses to major corporations, governments and critical infrastructure.   The report found that cybercriminals are targeting their attacks in order to exploit the uncertainty caused by Covid-19 at a time of increased online dependency.  The exploitation of Covid-19 in online scams and phishing attempts has seen cybercriminals entice victims into providing their personal data by impersonating government and health authorities. 

Businesses need to be aware of this increased risk and should take this opportunity to ensure their cyber defences are up to date.  This is particularly important considering the obligation to protect personal data from any unauthorised access under data protection law alongside businesses’ possible increase in processing of personal data, including sensitive personal data, in connection with measures implemented by businesses during Covid-19.

Commentary

While the Schrems II judgement and the Age Appropriate Design Code have been in the pipeline for a number of years, their impact on them being handed down and implemented during Covid-19 cannot be underestimated.  Both the judgment and the Code show a momentum towards, and a re-enforcement of, the high standards of privacy required to comply with the GDPR and Data Protection Act 2018.  This reiteration of the primacy of data protection has come at a time where businesses have gone online, the collection of personal data has increased and the risk of cybercrime is on the rise.  As such, businesses should review their internal practices and ensuring that they are compliant with data protection law as it is evolving in the context of our new working world.