Labor laws in the US could be considered inadequate, in times of crisis. In many jurisdictions, the law permits employers to process additional data to assist public health efforts by keeping employees safe and healthy, provided that certain safeguards and requirements are met. 

According to legislation, The ADA allows employers to make sensitive medical inquiries of employees who pose a “direct threat” to the health and safety of themselves or others in the workplace, 42 U.S.C. § 121113(b); 29 C.F.R. § 1630.2(r), and COVID-19 infection or exposure clearly poses such a threat. In essence, this legislation indirectly provides sensitive healthcare information to employers without discussing the consequences to the employee. 

According to the Executive Committee of the Global Privacy Assembly (GPA), a worldwide consortium of privacy and data protection regulators, released a statement on this issue:

“We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.”

The GPA also published a special webpage where guidance from national regulators and other authorities on how to deal with COVID-19 related data issues is posted. This guidance is not limited to specific regions or regulators but rather covers GPA members worldwide. 

This statement does not plausibly define the ‘protections the public expects’, neither does the statement describe which jurisdiction it explicitly refers to. From a legal perspective, it is important for the consumers to know the exact rights that could be infringed upon, and thus far, the benefits for the consumer remain unknown and open-ended. 

Based on guidance, it is necessary for a distinction needs to be made between data that governments can collect and use and data that private entities can collect and use and the permitted legal basis for each. Governments in general will have more room to maneuver when processing personal data in the public interest (e.g. to safeguard public health) or even to process personal data in the vital interest of an individual. Under the GDPR and various other laws, these are identified explicitly as grounds to process personal data. For private entities, collection and use of personal data in the public interest can also be possible, but there needs to be a clear, direct and demonstrable link with the public interest. 

It is in the interest of the involved consumer to be aware that whatever data is collected and used in the fight against COVID-19, organizations are upfront and transparent about what data they process for which reasons. Under almost all data protection regulations around the world, the transparency requirement is a key principle. Information should be accessible, easy to understand and include the reasons why (additional) data needs to be processed.