Coronavirus Risks – U.S. and European Employment and Privacy Law Issues

This post seeks to help parties navigate issues arising from COVID-19 risks from an employment and privacy law perspective in both the United States and Europe.

Novel coronavirus (COVID-19) presents significant issues for employers to navigate and significant consequences for employees across industries as COVID-19 reduces consumer spending, disrupts supply chains and presents challenges for managing workforces globally. Employers should be aware of their responsibilities and proactively put in place action plans to address this growing problem. Designing these plans, and addressing requested or mandated leaves and other restrictions on employee work, presents myriad employment law issues that may vary by jurisdiction. Employers are also likely to confront privacy questions as they seek information on employees’ and others’ health and travel across jurisdictions. In developing a plan, employers will want to consider these issues in a holistic and coordinated manner.

Employment Law Issues

Employers have an affirmative legal duty to provide a safe and healthful working environment for their employees. In the current COVID-19 environment, key action items include these:

  • Monitoring relevant public heath guidance and communication protocols. Employers should make sure they communicate any key recommendations to employees and update these communications as the situation develops. Public health authorities globally have published detailed advice on steps that should be taken to minimize the risk of contagion in the workplace. These include handwashing and the provision of hand sanitizers, the reporting of illness, the reporting of travel to or from high-risk regions, the requirement for self-isolation in certain circumstances and the reporting of any risk of infection from family or friendship circles. In the United States, alerting employees to publicly available information published by the Centers for Disease Control and Prevention and local government authorities is a good start.
  • Making a risk assessment of the workplace. This could include a review of cleaning protocols — particularly in high-traffic areas — the spacing of workstations, the protection of vulnerable staff who may be at higher risk because of age or preexisting conditions, the feasibility of remote working, reporting systems for suspected illness and protocols for isolating employees or sending them home, visitor screening systems (if any) and, in the case of employees who deal with the public, workstations, the possible exposure to higher-risk members of the public and any additional protections that could be introduced.
  • Americans With Disabilities Act. Any employer action that relates to an employee’s qualified disabilities implicates not only the federal Americans With Disabilities Act but also state disabilities laws. In some states, employers generally are precluded from inquiring about diagnoses. Employers should be mindful of the implications of these laws. Certain jurisdictions limit an employer’s ability to provide medical information, and possessing medical information that is not strictly essential can create problems for businesses down the road.
  • Reviewing travel policies. Employers should review current travel practices and assess whether they should reduce or ban some travel, particularly to high-risk locations. Employers will need to assess when travel is necessary and, for highly mobile employees, take additional precautions to ensure they are properly monitored. Some secondment or immigration programs may need to be reviewed, and it may be prudent to cancel large conferences if they involve international travel.
  • Considering travel restriction issues. Under presidential proclamations and related CDC rules, travelers to the U.S. can be subject to visa refusal, mandatory quarantine requirements and requirements to return through designated U.S. airports. There may be additional travel restrictions as the situation evolves, and employers should be wary of sending all employees, but especially non-citizen employees, to high-risk countries where they risk getting stranded. Employers should check travel restrictions for the destination country as well as carefully consider what procedures will be followed when the employees return to the United States from such areas. Some countries have travel restrictions in place that will keep employees from returning to the US and countries including the U.S. may update travel restriction policies at any time. Accordingly, both employers and employees should prepare for the employee to face additional hurdles upon return. For employees who plan to travel outside of the U.S. in order to renew an expiring visa, employers should consult legal counsel to ensure that travel to apply for the visa renewal is truly necessary. If travel is unavoidable, employees should attempt to visit consular locations near the U.S. to minimize air travel and risk. Instead of traveling, employees with expiring work authorizations may be able to file for an extension within the U.S. through U.S. Citizenship and Immigration Services.
  • Understanding payment obligations. Whether employees who are not currently sick but who have been directed by their employers to stay at home because of the potential to infect others as a result of their personal or business activities that increase the risk that they will contract (or have contracted) the COVID-19 virus must continue to be paid during their absence will depend on the laws of the local jurisdiction and the employer’s sick and other leave policies. Even where employees may not have a strict right to be paid for all their time away from work, employers should be aware of applicable public health guidance that may recommend that employers be more flexible with their pay policies under these circumstances. Employers may want to issue more detailed guidance to employees about their approach to these issues.
  • Avoiding discrimination. Employers should ensure that they take steps to ensure that employees are not subjected to detriment because of their or their family’s illness or on the basis of any health information they have disclosed. Legislation against discrimination on the grounds or illness or disability exists in many jurisdictions, and employers should make sure they are up to speed with these obligations. Any difference in treatment for certain employees — e.g., regarding mobility, leave or payment policy — should be based solely on business-related reasons. Applying the rules consistently is important.
  • Keeping policies and protocols under review. The COVID-19 situation is evolving rapidly. In most jurisdictions the risk of individuals’ contracting the disease is currently low, and most authorities are advising that more drastic action, such as mass remote working or the closure of workplaces, is unlikely to be necessary. Nevertheless, employers may want to consider their approach if these contingencies become reality. Actions might include an assessment on the operation of relevant parts of the business, a review of a longer-term approach to paid or unpaid leave and/or a review of the need to furlough/lay off employees together with the associated cost of this in the relevant jurisdictions.

Data Protection and Privacy Law Issues

Responses to COVID-19 raise a number of European and U.S. data privacy and data protection concerns. Key considerations include:

  • Restrictions on data collection and use. As businesses consider new information collection and analysis activities to address COVID-19 risks, they should consider any applicable statutory, regulatory and contractual restrictions on collection from, and uses of, certain data sources or data types. They should also consider how best to mitigate risks for the businesses that are associated with the collection and use of such data as an integral part of their COVID-19 action plans.
  • Sufficiency of existing privacy policies and notices. Businesses will want to consider whether existing privacy policies and notices are sufficient to cover the data to be collected for purposes of COVID-19 response from employees, visitors, customers and other data subjects, and the processing of such data.
  • Legal grounds for processing. From a European privacy law perspective, employers should consider the application of the European Union’s (EU) General Data Protection Regulation (GPDR) and laws in different EU countries and the UK and determine the legal ground under the GDPR to process employee, visitor and customer personal data, and — in particular — health data. From a GDPR perspective, an employer will generally not be able to rely on an employee’s consent, but it may be able to rely on a combination of other GDPR grounds including legitimate interest, legal obligation and employment law grounds (where processing health data). The ability to rely on these grounds and other requirements may differ in different European countries.
  • Protocols for information practices. To help mitigate some of the data-related risks noted above, businesses may wish to establish prudential protocols for the manner in which they will collect, use, secure, retain and share any information collected as part of COVID-19 response efforts, particularly any information related to health and other sensitive data. Businesses should consider GDPR and other legal requirements, such as taking appropriate information security measures and applying data minimization, particularly given the potential sensitivity of health data, as well as legally compliant retention periods (e.g., data on a person who is shown not to have visited a restricted country or area).
  • International data transfers. Businesses in Europe and the UK should consider whether employee, visitor or customer data processed for COVID-19 purposes will be transferred by the business or by a vendor outside of the European Economic Area/UK. If such data will be transferred, are the contemplated transfers covered under an appropriate GDPR data transfer mechanism?
  • Privacy impact assessments. Businesses covered by the GDPR in particular will want to consider whether a data privacy impact assessment is required (or advisable) to conduct the new data-related activities needed for responding to COVID-19.