Covid–19 coronavirus: emerging data protection and cybersecurity guidance (Updated 18 June 2020)
Anna van der Leeuw-Veiksha
Professional Support Lawyer
Nicole Wolters Ruckert
Filip Van Elsen
Peter Van Dyck
Catherine Di Lorenzo
19 June 2020
The Covid-19 coronavirus is creating a need for organisations to process personal data, for a variety of specific purposes (including managing and protecting their workforce, customers and the public).
Many of these processing activities are not part of “business as usual”, so established policies and protocols may not exist. Organisations face a challenge to ensure that this processing complies with data protection and privacy laws, particularly given the urgency behind some of these processing activities and other pressures, which means there is limited time available for consideration and consultation.
Organsiations are also operating under conditions where new working patterns (in particular, increased home-working) and malicious actors looking to take advantage of the public's anxiety concerning Covid-19 coronavirus are increasing cybersecurity risks. Both public and private organisations are suffering an increase in cyber-attacks and the challenge of implementing new systems and controls as a consequence.
No country is left unaffected, so for companies operating across multiple jurisdictions this is a particularly complex challenge. Regulators across the world have made statements on their expectations of how organisations may process personal data, for purposes related to dealing with Covid-19 coronavirus, in compliance with data protection laws. This guidance generally endeavours to strike a balance between enabling processing, in the public interest, while protecting the fundamental rights of individuals. Similarly, we are seeing an increasing number of authorities and regulators looking to address the cybersecurity risk and issuing practical guidance regarding homeworking, highlighting for example the need to implement appropriate security measures, utilise access controls and encryption, engage with employees, and be vigilant for phishing attacks in particular.
We set out below a high level summary of this guidance. We also present a separate extract setting out the cybersecurity and information security related developments for reference.
Whilst many regulators highlight the desire to implement procedures to tackle the Covid-19 coronavirus and halt its progression, the overarching message is that the processing activities aimed at achieving that goal should nonetheless comply with data protection and privacy laws. That said, regulators are also confident that data protection requirements will not stop the efforts to tackle this global pandemic, as the universal data protection principles will enable the use of data in the public interest and still provide the protections the public expects.
Whilst initially much of the guidance related to the treatment of health data and, in general, required employers to operate proportionately and consider carefully their approach to monitoring and testing of employees for symptoms of the Covid-19 coronavirus for example, attention is increasingly turning to the use of mobile applications and new technologies. As countries, private organisations and regional bodies look to develop solutions to manage the Covid-19 coronavirus, consideration is given to the data protection, cybersercurity and information security issues arising from apps that, amongst other things, track infection or the use of location data to monitor the Covid-19 coronavirus risk in the community.
As some jurisdictions start to emerge from lock-down and more stringent restrictions are lifted, we are also starting to see guidance addressing the risks associated with a return to "normal" working environments.
In each case, the high level summaries included reflect key messages as at 29 April 2020 except as otherwise specified against the jurisdiction/location in the table (see contents list). Earlier this month we had updated Canada, India, Japan, Czech Republic, France, Germany, Poland, UK (CDEI) and the EDPB, reflecting the latest publications as at 4 June 2020. This week we have further updated Belgium, France, Norway, Philippines, Spain, and the UK reflecting the latest publications as at 18 June 2020. New guidance and advice is being issued all the time and so we will continue to update this overview with further summaries of the latest publications.
The consolidated overview covers a selection of guidance from the following jurisdictions: Argentina, Australia, Austria, Belgium, Canada, China, Croatia, Czech Republic, Denmark, Estonia, France, Finland, Germany, Greece, Hong Kong (SAR) China, Hungary, Iceland, India, Ireland, Israel, Italy, Japan, Latvia, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Peru, Philippines, Poland, Romania, Russian Federation, Singapore, Spain, South Africa, South Korea, Sweden, Switzerland, UAE, UK, and USA.
It also reflects publications by the EU (European Parliament, European Commission, Council of the European Union, EDPB, EDPS, ENISA, CERT-EU, Europol, EBA, EIOPA, EU FRA) and international organisations, e.g. Council of Europe, FATF, Global Privacy Assembly, INTERPOL, OECD, G20 digital ministers.
To watch a webinar discussing trends and insights in relation to data protection, cybersecurity and Covid-19 coronavirus, please click here.