In the days following the World Health Organization’s (WHO) declaration that coronavirus is now a world-wide pandemic, Europe became the epicenter of the health crisis, with the number of new cases surpassing those in China, where the virus originated.
Several European countries—Italy, Spain, Hungary, Latvia, Bulgaria, Slovakia, Serbia, and the Czech Republic—have already declared a state of emergency. More are likely to follow. Some countries, like France and Italy (which has chalked up the highest number of cases and Europe’s largest death toll) are in lockdown, while others, such as the Czech Republic, Poland, Denmark, and Germany have closed their borders. Spain, meanwhile, has barred foreigners from entering for all but essential travel, and Norway has closed all its domestic airports.
Corporate travel has effectively ground to a halt—both within the European Union and elsewhere—as countries such as the United States have either banned European flights or have forced foreigners to self-isolate on arrival, as is the case in Australia and New Zealand. Airlines have cut their flight schedules massively—some, like British Airways, by as much as 75 percent of capacity, while others, like Scandinavian Airlines, are set to cut 90 percent of their staff.
The EU’s Internal Market Commissioner Thierry Breton has said an EU-wide recession is now expected, with a 2-2.5 percent negative growth.
Although the situation is constantly changing, lawyers say there are several areas of corporate life that are going to test compliance officers and which management will need greater assurance on. These include data privacy and GDPR compliance; EU competition law; and potentially Brexit:
1. Data privacy and GDPR compliance
Lawyers say companies must be careful not to demand excessive personal information from workers about their travel or health, warning such requests could violate EU data protection and employment laws.
The EU’s General Data Protection Regulation (GDPR) says companies can collect personal data only for a specific reason, and they must obtain individuals’ consent for how it will be used. In light of the coronavirus outbreak, however, European privacy regulators have raised concerns about how employers are monitoring workers’ health—and the measures they are taking to detect potential coronavirus cases.
In the weeks following Italy’s declaration of a state of emergency on Jan. 31, some companies had required workers to provide proof they tested negative for coronavirus if they disclosed they were in an area with a high infection rate. Others had even required body temperature checks at building entrances and gave employees self-declaration forms asking for details of international travel (an approach not limited to Italy—at least one company in the United Kingdom has been touting the same equipment as a “must have” risk management tool).
Italy’s privacy watchdog acted swiftly. On March 2 the Italian Data Protection Authority warned employers against running “autonomous” medical checks or demanding personal information about workers’ non-professional travel and contacts. Any medical exams, it said, should be carried out by healthcare professionals and not by employers. In the week before the Italian data privacy regulator warned against such practices, it received around 20 requests from employers about how they could monitor employee behavior.
In a statement, the Data Protection Authority said: “Employers must refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.”
It added that all data controllers should “comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the coronavirus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers where such initiatives are not regulated by the law or ordered by the competent bodies.”
Data experts have said there is no excuse for companies to make use of covert CCTV cameras equipped with temperature sensors to carry out any form of health and safety risk assessment. While such use can be legitimate where there are strong grounds for suspecting criminal activity or other malpractice, “it is unlikely that these covert activities would meet the data protection requirements in either the U.K. or elsewhere in the EU,” says William Long, global co-leader of law firm Sidley’s privacy and cyber-security practice, because they would fail to meet with the GDPR’s transparency requirements.
Maarten Stassen, partner in the privacy and cyber-security group at law firm Crowell & Moring, says: “any type of secret monitoring by private organizations is an absolute no-go.”
He adds, “One of the key principles of both the GDPR and the U.K.’s national data protection legislation specifying or restricting GDPR rules is transparency. Individuals should be informed about why and how their personal data, including images related to them, will be used. It is difficult to see how the exceptional circumstances related to the COVID-19 pandemic could provide a legal ground to overrule this essential requirement.”
“One of the key principles of both the GDPR and the U.K.’s national data protection legislation specifying or restricting GDPR rules is transparency. Individuals should be informed about why and how their personal data, including images related to them, will be used. It is difficult to see how the exceptional circumstances related to the COVID-19 pandemic could provide a legal ground to overrule this essential requirement.”
Maarten Stassen, Partner, Crowell & Moring
Ryan Dunleavy, partner and head of media disputes at law firm Stewarts, agrees. “Employers that think they can surreptitiously use CCTV to scan employees for coronavirus could find themselves facing a judge in London’s Media and Communications Court and a hefty set of claims in front of them that can attract reasonably high damages awards and gargantuan legal costs awards.”
Other EU data protection regulators have said they have received similar queries about checking employees’ temperatures and asking about health and recent travel. Since the beginning of March, data authorities in Belgium, Denmark, Ireland, France, Luxembourg, and the Netherlands have published statements advising companies against collecting too much employee data.
Despite the GDPR being uniform across 28 EU countries, however, it seems some data protection authorities are taking a harder line on potential obtrusive questioning (as well as on the use of body temperature scanning equipment) by employers than others.
For example, the French Data Protection Authority has said employers cannot require workers to do daily body temperature checks, while the Irish Data Protection Commission has said companies should prove “strong justification…based on necessity and proportionality and on an assessment of risk” if they send employees questionnaires about their health or personal travel. Luxembourg’s Data Protection Authority, meanwhile, has warned employers not to require employees give them a daily update of their body temperatures or they fill out medical sheets or questionnaires. The U.K.’s Information Commissioner’s Office has taken a pragmatic approach toward employers collecting data on employees, saying organizations have an “obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them,” and adding that companies can share information with relevant health authorities if they feel they need to as “data protection law won’t stop you from doing so.”
Some data protection regulators have issued practical guidance aimed at helping organizations assess whether their questioning is necessary, properly framed, and compliant with GDPR.
The Danish Data Protection Agency, for example, says that within the framework of EU data protection rules, an employer can record and disclose an employee’s health-related information, so long as it is “not so specific.” For instance, under current circumstances, it would be acceptable to record that an employee has returned from a so-called “risk area,” or an employee is in home quarantine (but without stating the reason) so management and colleagues can take necessary precautions.
The Danish regulator says records (and disclosure of them) must be factual, however, and the information “must be limited to what is necessary.” The Danish Data Protection Authority says that employers should therefore consider whether there is a good reason to record or disclose the information in question; whether it is necessary to specify the information, including whether the purpose can be achieved by “telling less,” and whether it is necessary to name individuals.
Lawyers say in “normal” circumstances, asking questions about an employee’s private medical history is usually not considered reasonable. But in circumstances where an employer is taking all reasonable steps to protect the health and safety of its workforce, such requests are likely to be viewed differently, says Ed Cotton, employment partner at U.K. law firm TLT.
For example, some employers may have a contractual right to request health information from employees. However, a ham-fisted or targeted approach could lead to claims of discrimination, especially if questioning is aimed at employees with particular racial characteristics.
“A consistent, reasonable, and proportionate approach should be adopted and applied equally across the whole workforce,” says Cotton. “That said, employers should consider the scope of their questioning and limit it to what is necessary in order to protect their workforce from potential infection. For example, questions should be limited to symptoms which are specific to COVID-19 rather than general health questions. Health enquiries should always be conducted in a sensitive, sympathetic manner which maintains the privacy and dignity of the individual in question.”
Barry Stanton, partner at law firm Boyes Turner, says if employers are asking questions about medical histories to assess specific risks to employees, the starting point should be to explain why the company is seeking that information and how long it wants to retain that information for.
“Employees cannot, even in the current environment, be forced to disclose their medical history,” says Stanton. “Providing employees with the tools to decide if they wish to provide sensitive personal information is always likely to lead to a better outcome. The key is identifying why the information is being sought and what use will be made of it. If a business will gather the information but do nothing with it then there is little purpose served by asking the question. If employees are being assessed to determine who should or might be able to work from home because they are in a high-risk group, that should be made known,” he adds.
Daniel Milnes, partner and governance and information lawyer at Forbes Solicitors, warns “companies need to be really careful not to confuse covert with non-consensual monitoring of which employees have notice.” He also says it is important for employers not to assume the worst if workers show symptoms: “context matters,” he says.
“For example, if an employee has just run to work to make sure they are on time, they may well appear hot and sweaty as they arrive. This cannot be simply construed as a sign of illness because an infrared camera reading has been used to deny their entry to work. The employee must be given the chance to explain his/her situation.”
While employers have a right to request medical records and evidence that shows why an employee is not fit to work, lawyers warn management and HR need to be mindful there’s not a great deal of medical history about coronavirus.
“If a company is requesting an employee’s medical history in relation to COVID-19, an employee may reasonably question how relevant this is and just what benefit it will deliver to the company,” says Emma Swan, partner and head of commercial employment law at Forbes Solicitors.
“Companies would be better advised to focus on an employee’s current health status and their potential risk of infection. Employers should develop standard questions that determine whether an individual has been potentially exposed to the virus and to record any concerns they may have about contracting the virus because of their work. These questions should cover topics such as the employee’s recent travel, if they’ve come into contact with people displaying symptoms, if they’ve shown any symptoms themselves, and if they’ve followed government guidance about coronavirus,” she adds.
Data protection is not the only aspect of corporate life set to come under the spotlight within the European Union as a result of the coronavirus pandemic. Compliance officers will also need to be aware of changes in competition law—and enforcement—as the outbreak of COVID-19 impacts the ways companies do business.
Matthew Hall, competition lawyer at law firm McGuireWoods, says there are three principal areas of competition law that will likely be affected by the coronavirus pandemic and that could have serious implications on companies. These are:
State aid: During the 2008 financial crisis, EU state aid rules still permitted governments to give banks large-scale bailouts to keep them from collapsing, often within 24 hours of EU member states notifying the European Commission of their intentions.
This present crisis looks no different.
On March 12, and within 24 hours of receiving notification from the Danish government, the Commission—the EU’s executive body—approved a €12 million (U.S. $13.4 million) plan to compensate organizers for damages caused by cancellations of large public events in Denmark due to the pandemic. This is the first and only state aid measure notified by an EU member state to the Commission in relation to the COVID-19 outbreak so far—but more should be expected.
On March 13, the Commission published detailed guidance on the extent to which EU governments can support business and “mitigate the consequences of the pandemic” while complying with the state aid rules. This particularly covers measures to alleviate the pressure on “at risk” companies and sectors, such as airlines and the hospitality and tourism sectors. Measures covering all companies such as wage subsidies, suspension of payments of corporate and value added taxes, or social contributions are allowed. Direct governmental support to consumers is also permitted. There are also specific additional exemptions that permit governments to help companies cope with liquidity shortages, provide urgent rescue aid, or compensate for particular damage—such as in the Danish case.
Following Denmark’s move, Hall believes that “we can expect every other EU government to notify the Commission that they are going to provide funding to prop up companies and even industries that are at risk of collapse.”
“The key questions are: what sort of amounts will the Commission deem acceptable, what industries can be covered, and what conditions will be put on the funding?”
Excessive pricing: There are always some companies that will take advantage of a crisis to make short-term financial gains, and the COVID-19 pandemic is no exception.
The Italian competition authority is already probing Amazon, eBay, and other online sellers over misleading reviews and price increases for hand sanitizers and face masks they are selling on their platforms, amid a spike in demand due to the spread of coronavirus.
The U.K.’s Competition and Markets Authority (CMA) has also issued a warning to companies and online resellers not to inflate prices excessively to take advantage of increased demand for certain products as the pandemic takes hold (and the public panic).
In a statement, CMA Chairman Lord Tyrie said: “We will do whatever we can to act against rip-offs and misleading claims, using any or all of our tools; and where we can’t act, we’ll advise government on further steps they could take, if necessary.”
The CMA also is considering consumer and competition law enforcement if companies refuse to heed its warning.
In reality, Hall says it is very difficult for regulators to take action against such practices under competition law. “Companies that have a dominant position can be found to be abusing that position if they hike prices as demand spikes. Consequently, the Commission and national competition regulators can take action and can fine such companies and force them to desist from such behavior,” says Hall.
“However, a company that does not have a dominant position can effectively price-gouge all it wants because, in effect, customers are supposed to have enough choice in the market to use another supplier if they want to. It is unclear what action—if any—the CMA is considering under competition law against non-dominant companies that carry out such practices,” he adds.
Cooperation between competitors: Desperate times lead to desperate measures, and to ensure the supply of key goods—such as foodstuffs, medicines, and healthcare products—competitors may need to work together.
Indeed, the U.K. government is already coming under pressure to relax competition rules to allow supermarkets to team up to tackle the problem of customers stockpiling as panic-buying increases.
Closer cooperation could be done through coordinating prices and sharing price-sensitive information, as well as through practices such as sharing trucks to transport goods and making agreements to divide distribution to certain customers or geographic areas (for example, one company supplies to the south of the United Kingdom, while the other supplies to the north)—all of which is normally barred under competition law.
“As a short-term solution to ensure that supply chains operate smoothly, governments and companies may want to relax competition rules to allow companies to bring in essential supplies,” says Hall.
“However, companies need to be aware that even if EU governments do want to relax the rules to enable closer coordination between competitors, it does not mean that competition law ceases to apply to the arrangements they put in place. Companies can still be found to have breached competition law, even if the government has seemingly sanctioned them by allowing closer cooperation,” says Hall.
“There are provisions formally to permit these types of arrangements—such as used in the United Kingdom in 2012 allowing joint planning during a strike by fuel tanker drivers—but arrangements which are informally permitted could easily be problematic,” he says.
Just when everyone thought Brexit would happen on Dec. 31, speculation is now rife that the process could be delayed—especially if the European Union and United Kingdom want to hammer out a trade deal.
Face-to-face talks were due to take place in London next week but have since been called off as a result of the pandemic, with officials exploring possible alternatives, such as video conferencing.
The U.K. government is adamant the country will leave at the agreed date as (technically) a request for another extension is not possible under U.K. law: When the government passed the EU Withdrawal Agreement last December, it added a commitment that the transition period would not be lengthened.
The projected timeline of the pandemic—months rather than weeks before it hits its peak, as well as the prospect of extended periods of self-isolation and employees (where possible) working from home—has shown, however, how delicate supply chains can be. The very-real prospect of deep recession may mean companies do not have the stomach—or capability—to weather more turmoil and uncertainty caused by additional Brexit-induced disruption.
Coronavirus: Tips for risk management
- Currently reading
Advice for European compliance officers dealing with coronavirus