Wearable technology in the workplace to tackle the COVID-19 pandemic? What about the GDPR?
Werkgevers in de Europese Unie gebruiken draagbare technologie, zoals smartphones, om er preventief voor te zorgen dat hun bedrijf geen besmettingshaard wordt. Door bron- en contactonderzoek en tracking van werknemers proberen zij dat te bereiken. Maar hoe zit dit in relatie tot de Europese AVG-regels? Stefania Marassi van de Haagse Hogeschool stelt dat er strikte voorwaarden moeten zijn om deze technologie te mogen gebruiken.
Now that the ‘new normal’ during the COVID-19 pandemic have kicked in, employers face the challenge of how to fully get back to ‘physical’ business and at the same time secure the health and safety of their workers. To what extent could then the use of wearable technology enable this process and remain within the boundaries of the GDPR?
There are already examples of how wearable technology is being used and might be used in the workplace to curb the COVID-19 outbreak. Dockworkers in the port of Antwerp are testing a wristband - Romware Covid Radius - produced by the Belgium tech company Rombit to ensure the required 1.5 meter social distance while working.1 Fitbit has also recently announced a study to research whether the data collected and processed with a Fitbit fitness tracker can reveal early symptoms of COVID-19.2 Further, research shows that “COVID-19 related symptoms [can be predicted] up to three days before they show up” with health tracking monitoring by Oura rings, amongst others.3
Employers seem eager to experiment with this technology. This does not come as a surprise. Not only they do have a duty of care towards their employees to prevent and reduce occupational health and safety (OHS) risks.4 They do also have a keen interest in their business regaining pace.
To that end, wearable technology could be used to enforce social distancing amongst workers (e.g. with an alarm system) and, related to that, to do contact tracing if a worker tests positive to COVID-19. Further, technology could be deployed in workplaces “to spot coronavirus symptoms before [workers] even realize [they]’re sick”.5 Yet, despite their potentially positive contribution to the fight against COVID-19, the use of these devices prompts privacy-related questions, especially when these new technologies are (intended) to be deployed in an employment setting.
In this contribution I argue that wearable technology could enable employers in Europe to resume ‘physical’ business while ensuring the health and safety of their workforce. However, from a strict privacy and data protection law perspective, four key legal considerations must be made in light of the GDPR.6
1- To integrate wearable devices in the workplace, employers need to base their decision on a legitimate legal basis (principle of lawfulness - Art. 5(1)(a)). Examples of lawful bases that could be used are: a) compliance with legal obligations such as those laid down in OHS national legislations (Art. 6(1)(c), in combination with Art. 9(2)(b) or Art. 9(2)(h) if health data are processed); b) protecting the vital interest of the data subject, namely the worker (Art. 6(1)(d), in combination with Art. 9(2)(c) or Art. 9(2)(i) if health data are processed); and c) legitimate interests (Art. 6(1)(f), for example in combination with Art. 9(2)(b) if health data are processed).7
2- Essential is also that the (health) data that employers process with wearable technology are used only for a specified purpose, for instance safeguarding workers’ health. Any further non-compatible processing, e.g. for performance management-related decisions, is not allowed (principle of purpose limitation - Art. 5(1(b)).
3- Employers need to make sure that only the (amount of) data that is necessary to reach the specified purpose is processed and if less privacy intrusive ways are available, those have to be preferred (principle of data minimization – Art. 5(1)(c)). It is, for example, questionable if a wearable with an integrated GPS that can provide location tracking of the workers is necessary to achieve the purpose of securing and preventing health and safety risks in the workforce. In this respect, less privacy invasive ways could be deployed: Bluetooth could be an example.
4- The data that are processed must be accurate (principle of accuracy – Art. 5(1)(d)). This seems to be still a major challenge for wearable fitness trackers, though. If heart rate variability could be used to detect early signs of COVID-19, how do we deal with the uncertainty surrounding the correlation between skin tone and heart rate variability detection?8
All in all, every use of a wearable device in the workplace as a preventative measure to secure the health and safety of the workforce must be decided on a case-by-case basis. It is true that the GDPR sets out the data protection principles that data controllers – employers in this case - have to abide by when processing personal data. However, the compliance with these principles will depend on the specific features of the device (e.g. does the wearable have an integrated GPS that allows tracking of workers’ movement? Is health data collected as this requires a further layer of protection under the GDPR?). The boundaries of the employer’s duty of care under national OHS legislations are also a determining factor in evaluating whether wearable devices can be deployed in the workplace to prevent the further spread of COVID-19.
Stefania Marassi, lecturer in EU Labour Law, International and European Law Program, and researcher in the Centre of Expertise Global Governance at The Hague University of Applied Sciences.
This legal obligation is laid down in European and national legislations (e.g. European Directive 89/391/EC).
On this topic, see also Aída Ponce Del Castillo, COVID-19 contact-tracing apps: how to prevent privacy from becoming the next victim, ETUI Policy Brief No. 5/2020. Given the limited space, this contribution focuses on four of the six data protection principles laid down in Art. 6 GDPR.
On this topic, see e.g. the European Data Protection Board (EDPB), Statement on the processing of personal data in the context of the COVID-19 outbreak, Adopted on 19 March 2020.