How to process employees’ health data in France after lockdown: dos and don’ts for employers

Norton Rose Fulbright - Data Protection Report blog

A few weeks ago, we provided you with a summary of the rights and obligations of employers with regard to the personal data of their employees during lockdown.

On 11 May, many employees will return to their workplaces. Below you will find answers to the main questions you may have ahead as the end of the lockdown approaches.

Could an employer require its employees to use StopCovid or a similar private app and require to see the results?

No.  The CNIL stated in its opinion of 24 April 2020, that the “voluntary” mode of the app implied that no negative … Continue Reading

StopCovid: the French contact-tracing app

Norton Rose Fulbright - Data Protection Report blog

Following the example of many European countries, the French government plans to introduce a contact tracing app, known as “StopCovid”.  The app is designed to be used by people once they leave the confinement of their homes with the aim of preventing the spread of COVID-19. StopCovid is being developed within the INRIA, the French national research institute for digital sciences and technologies.

This blog post summarises the status of the project and the discussions from legal, political, scientific and technological perspectives.

How will StopCovid work?

For each smartphone on which the app is downloaded, temporary crypto-identifiers will be generated … Continue Reading

How contact tracing apps in Asia are being used to fight COVID-19 – is the reward worth the risk?

Data Protection Report - Norton Rose Fulbright

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to unprecedented levels. To aid the safe lifting of current public health restrictions, new technologies are being developed and rolled out to automate labour intensive tasks critical to containing the spread of the virus, such as contact tracing.

Contact tracing applications essentially work using either Bluetooth technology or GPS to log every time two or more users are close to each other for a certain period of time. If a person is diagnosed with COVID-19, other users who were close to that person can then be … Continue Reading

Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon

Norton Rose Fulbright - Data Protection Report blog

Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”).  It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”).  The cookie sweep requested information from the data controllers and examined the deployment of cookies on their websites to understand how and whether they were complying with the cookie rules. It is clear the Report significantly influenced the Guidance and, as such, the Report provides an indication of … Continue Reading

California AG Issues Significant Changes to Draft CCPA Regulations as of March 2020

Data Protection Report - Norton Rose Fulbright

On February 7, 2020, and again on March 11, 2020, the Office of the Attorney General (OAG) issued revisions to the proposed California Consumer Privacy Act (CCPA) regulations, and there are some surprises in both the additions and in the deletions.  For the CCPA regulations to become effective on July 1, the final regulation text must be filed with the Secretary of State by May 29.

Click here for the text of modified regulations.  Our white paper with a summary of the changes is available for download here.… Continue Reading

Obtaining and sharing employee health status information in a pandemic

Norton Rose Fulbright - Data Protection Report blog

Employers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic.

Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed against the privacy rights of employees. Depending on where their employees are located, employers may have to favor privacy over virus detection. This blog sets out a few of the key issues and a snapshot of how they are dealt with across five European jurisdictions … Continue Reading

NYDFS Requires COVID-19 Plans by April 9

Norton Rose Fulbright - Data Protection Report blog

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

Norton Rose Fulbright - Data Protection Report blog

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.

The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.… Continue Reading

Thailand Personal Data Protection Law

Norton Rose Fulbright - Data Protection Report blog

Background

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 in Thailand’s Government Gazette and became effective the following day. However, most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, will become effective on 27 May 2020, 1 year after the PDPA is published.

The PDPA is under the supervision of the Ministry of Digital Economy and Society and the main supervising authority of the PDPA is the Office of Data Protection Committee (OfficeContinue Reading

LexBlog