Privacy Compliance Amid Covid-19

July 23, 2020


Navigating Privacy Compliance During Covid-19 and Beyond

Day One, Bloomberg Law Leadership Forum:
Answering Privacy and Data Security Challenges

July 23, 2020

As data protection authorities around the world provide guidance related to the Covid-19 pandemic, our day one speakers discussed how to best navigate a patchwork of global, national, and state data protection laws that has been made more complex by mass telework and health and safety measures.

Excerpt From the Privacy Compliance in Times of Crisis Panel Discussion:

Rob Corbet, partner and head of technology and innovation, Arthur Cox: I think the easy part, in Covid-19, was the early part. We initially put in some social distancing in our offices, and then eventually we evacuated the office quickly, which we thought was a major step. But actually, I think in many ways, coming back to work is trickier from both an employment perspective and a privacy perspective.

Most organizations aren’t in a position to return in full to work immediately. And you get into issues around profiling individuals as to who’s suitable for work, who are the best people you need to get back to work quickly. If people don’t want to come back to work and the pandemic is still in the community, can you mandate them to do so? All of these decisions are going on in a totally changed economic environment, and decisions are being made, not just determination of suitability to return to work based on the pandemic, but decisions are being made about downsizing the workforce at the same time.

I suppose that my message to the audience today is that we’ve seen in Europe for a long time that in downturns, consumers and employees will reach to data protection models to help them fight their corner. So you see an increase in things like data access requests, that type of thing, when employees feel under threat or in jeopardy in relation to any job security issues.

If, insofar as organizations are starting to profile their staff in relation to return to work going forward, and if they’re also making decisions around downsizing their workforce, they should expect, at least in Europe, that those individual decisions will be scrutinized. Individuals will seek access to the information that led to those decisions being made. So it goes back to documenting the decisions and the environment in which you made them, because I think there has been a certain amount of weaponization of the GDPR, and it’s probably becoming prevalent, perhaps, in the U.S. under CCPA and elsewhere. People have realized that the conferral of rights by privacy laws enables them to leverage those rights in a way that can best protect their own interests in the context of employment law.

Staying Compliant and Minimizing Impact Amid Coronavirus Concerns

In our Covid-19 special report, you’ll find essential guidance to help navigate contract and employment law related to HIPAA, GDPR, CCPA, the ADA, and more.

Mark Smith, legal analyst, Bloomberg Law: Sam, are you recommending any internal policy changes as folks return to work, best practices that business agree upon?

Sam Cullari, counsel, Reed Smith: The things that we’re focused on with our clients that are bringing their workforce back into their offices and facilities are careful consideration of the appropriate method of notifying and being clear to your employees about what you’re collecting and what you’re doing with it. You need to find the right balance of what is the most effective method of notification for all of the new policies and procedures that you’re putting into place, including previously unexpected or new data collection policies. I think that, for me, it’s focusing on making sure that you’ve effectively communicated to everyone that needs to be communicated to what it is you’re doing.

Smith: I understand the communication is key, and so, Ruby, touching on what you had mentioned earlier about leadership, do you see that communication coming from top leadership? How do you see the roles in notifying the workforce of the game plan going forward?

Ruby Zefo, chief privacy officer and associate general counsel, Uber: I think it’s very important, and it’s one of the things that people are most curious about. They’re worried, and who can blame them. And so they want to know as much as they can about what the future is going to look like. Unfortunately, it’s still unstable. You may not be able to have firm answers on the long term yet. You may still be in a situation where you’re pivoting, but I think communicating what you do know, as soon as you know, is very helpful for people, and making sure that you get their feedback as well, even if it’s just to let you know that they’re still worried.