This post is part of a series on contact tracing apps. You can read our introduction to the series and get links to the other entries here.
Will contact tracing be part of the 'new normal'? This question has led to very emotional discussions in Austria after a Financial Times interview of one of the Austrian government’s advisors this week. In the first published version of the interview the advisor was quoted that there should be discussions to generally make a contact tracing app mandatory in Austria (most likely having in mind the Stopp Corona App). According to the advisor's originally cited opinion 'people will want to control themselves' and it will be part of the 'new normal' that everyone will have a (contact tracing) app installed. After some very emotional discussions in Austrian print and TV media following this interview, the relevant advisor claimed to be misquoted, the published Financial Times interview has been edited and the Austrian government explicitly announced that contact tracing apps will not become mandatory, but only upon voluntary consent.
Although the actual usage rate of contact tracing apps within the Austrian population being quite low for their intended purpose (i.e. approx. 560,000 downloads so far), companies in Austria might think about making use of contact tracing to screen employees, visitors, and customers, as a tool to protect themselves as well as their employees, visitors and customers against COVID-19 infections. On the one hand enabling entrepreneurs to restart their business and having shorter reaction times in case of contact with people who have contracted COVID-19 and might be infectious, this however is subject to several legal hurdles which might prove difficult to overcome in practice.
Forcing contact tracing on employees?
In Austria, an employer has the duty to introduce safety measures for the health and life of their employees. But such measures must in any case be proportionate to the respective risk to mitigate. The usage of contact tracing apps may therefore only be considered unless there are no less invasive instruments available.
Stipulating an obligation for one’s employees to track all their contacts (business and private ones alike) via a contact tracing app would concern their privacy and most likely require a works council agreement or all employee’s explicit consent (where no works council has been established). Independent of the question of whether such contact tracing obligation would be deemed as 'affecting' or even 'violating' human dignity (and thus might be not legitimate at all), mandatory contact tracing apps for employees would also have to entail, according to the circumstances in which the work in such company (or division) is carried out, that there are no less invasive instruments available to achieve the objective pursued.
From a data protection perspective, the processing (tracking) of contacts (and health status) of natural persons is in Austria undoubtedly subject to GDPR requirements. So, GDPR principles and requirements like data minimization, limited storage period, technical and organisational security measures, privacy by design and transparent information of the data subjects apply.
Following prior decision practice of the Austrian data protection authority regarding data processing in an employment context, if an employer decides to make such app mandatory for its employees, data protection requirements have to be observed by the employer irrespective of him actually checking the infection status on the app or not.
Companies intending to introduce mandatory contact tracing for their employees should in the first step focus on finding a GDPR-compliant app which fulfils the requirements outlined above. According to guidance of the EDBP such apps should not use location data (eg GPS data) but technologies like Bluetooth Low Energy instead (which is the case for the Austrian Stopp Corona App). Further, data should be kept on the smartphone to the extent possible.
To justify the processing of the personal data in the working environment via consent is always risky as such consent may not only be withdrawn at any time without giving reasons, but according to the Austrian data protection authority's opinion such consent will only be considered valid if the processing activity provides for a clear benefit for the employee. Instead of using (explicit) consent of their employees, employer's may, according to a statement of the Austrian data protection authority, for COVID-19 prevention reasons process health data of its employees based on their duty of care obligation set out in Austrian employment law (as long as all relevant employment law requirements are met).
Contact tracing mandatory for visitors and customers?
Let's assume an electronics shop makes using contact tracing apps mandatory for its customers and prevent them from entering the retail area if they do not have a specific contact tracing app installed.
Normally it generally lies in the sole discretion of private companies with whom they wish to enter into business relationships. However, companies with monopolistic or quasi-monopolistic market positions (e.g., super markets, railway or energy companies) which are due to the imbalance of power often obliged to contract with each and every potential customer to reasonable and usual terms may under Austrian law only refuse to conclude a contract upon a good (objective) reason. It seems quite unlikely that not having a contact tracing app installed would be considered as such good (objective) reason. Also, under a general anti-discrimination perspective the requirement to have a contact tracing app installed would exclude everyone who does not possess a proper smartphone for such an app to be installed (as long as this is not mitigated by other measures such as key fobs or other devices / solutions which could provide similar tracking functions) – and, thus, particularly affecting and discriminating elderly citizens.
As long as the shop owner or its employees are not looking at the infection status of the visitor or customer, at least there do not seem to be major obstacles from a data protection perspective. Even if the shop owner or its employees would check the 'infection status' of a customer (if such app would at all provide this functionality), as long as this would not be done in an area captured by CCTV or otherwise registered, due to the lack of 'wholly or partly by automated means' or a 'filing system' the GDPR would not apply to such checks.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?
