On April 21, 2020, the European Data Protection Board (“Board”) issued guidelines on the processing of personal data for scientific research related to COVID-19.  The Board indicates that the GDPR takes into account the needs of scientific research and should not be a barrier to conduct such research, while at the same time, it helps ensure respect for the fundamental rights of patients.

Continue Reading European Data Protection Board Issues Guidelines on Processing Personal Data for Scientific Research Related to COVID-19

As we anticipated in a previous blog post, on April 22, 2020, the European Data Protection Board (“EDPB”) issued new guidelines on the use of location data and contact tracing apps in the context of the present COVID-19 pandemic.

The EDPB’s new guidelines complement and build on similar guidance previously issued by the Board itself (see here, here and here), and by the European Commission (see our blog post here).

The EDPB’s close scrutiny over the use of mobile data and apps in the context of the ongoing public health crisis is unsurprising, as many EU Member States have launched—or are in the process of launching—contact tracing apps to fight the spread of the virus, and these initiatives are receiving great attention by data privacy authorities and the general public (see our blog post here).

The guidelines aim to clarify the data protection conditions and principles that should be followed when:

  • using location data to model the spread of the virus to assess the overall effectiveness of confinement measures; and
  • using contact tracing apps, which aim to notify individuals who may have been in close proximity to someone who is infected or confirmed as a carrier of the virus, in order to break the contamination chain as early as possible.

The EDPB stresses that EU data protection rules have been designed to be flexible and, as such, do not stand in the way of an efficient response to the pandemic.  However, it notes that governments and private actors should be mindful of a number of considerations when they use data-driven solutions in response to the COVID-19 outbreak.


Continue Reading EDPB Issues New Guidance on the Use of Location Data and Contact Tracing in the Context of the COVID-19 Outbreak

On 8 April 2020, the European Commission adopted a recommendation on a common European Union toolbox for the use of technology and data to address the COVID-19 crisis (“Recommendation”).  The Recommendation responds to calls for a common EU approach to the use of mobile apps in combatting COVID-19—one that improves the efficacy of the technology while respecting citizens’ privacy rights.

The Recommendation has since been complemented by a separate Commission guidance paper on COVID-19 apps (“Guidance”) and release of a Common EU Toolbox for Member States (“Toolbox”) by the EU’s eHealth Network, a Commission-established body comprised of Member State authorities responsible for eHealth matters.   In addition, the European Data Protection Board (“EDPB”), which contributed to the Guidance, has published a letter to the Commission in response to the Guidance (“Letter”).

This blog will discuss the headline points contained within the Recommendation, Guidance, Toolbox, and Letter.  We will publish more detailed analyses of the Toolbox and Guidance in subsequent blogs.


Continue Reading EU Commission Releases Guidance on COVID-19 Apps

On March 28, 2020, the “Federal Act for the Protection of the Population against an Epidemic of National Significance” (Bevölkerungsschutzgesetz) went into effect.  The law forms part of an emergency legislative package introduced by the German government in response to COVID-19.

The law amends the Social Code V (SGB V)

The Federal Trade Commission has traditionally responded forcefully to public health and economic crises, and it is doing so again in response to the coronavirus pandemic.  The current crisis does present some additional complications, however, because of its impact on the operations of the agency itself.  Three particular aspects of the FTC’s consumer protection-related response stand out: (1) continuation of the agency’s scrutiny of false and deceptive product claims that seek to capitalize on the fears of consumers, (2) signs that the agency will work with businesses to accommodate the special pressures of the crisis, and (3) continuation but postponement of other, non-enforcement activities.

The FTC’s first consumer protection priority in response to the coronavirus pandemic has been to focus on especially egregious marketing scams that target particularly vulnerable populations.  The FTC has already issued a number of warning letters to sellers of supposed COVID-19 cures ranging from tea to edible silver and to voice over internet protocol (“VoIP”) service providers facilitating illegal coronavirus-related calls.  Fraud reports continue to rise rapidly: the FTC has received 7,800 coronavirus-related complaints this year, and almost half of these were filed in the last week.
Continue Reading The FTC’s Response to the Coronavirus Pandemic: Consumer Protection Priorities and Initial Actions

In response to the COVID-19 outbreak, several U.S. government entities have released warnings about a rise in scams and fraudulent activity connected to the outbreak.  In a recent bulletin, the FBI warned of a rise in phishing emails, counterfeit treatments or equipment for COVID-19 preparedness, and fake emails from the Centers for Disease Control and Prevention (CDC) purporting to provide information about the outbreak.  The FTC, meanwhile, has released not only a general overview of the steps that it is taking to combat scams related to COVID-19, but has also provided a specific list of seven types of COVID-19 scams that it has observed targeting businesses.  More information about these scams, and guidance from the FBI and FTC on how to protect against and respond to some of the most common risks, is below.
Continue Reading COVID-19 Cybersecurity Advice: FTC and FBI Provide Guidance on Cybersecurity Scam Trends and Preventive Measures

Over the past several days, Germany Supervisory Authorities and health authorities have issued statements and guidance about the handling of personal data in the context of the ongoing COVID-19 pandemic.  In this blog, we consider some these statements in greater detail, as well as their implications for employers and employees.

Continue Reading German Authorities Issue Guidance Related to Coronavirus

On March 16, 2020, the Chair of the European Data Protection Board (“EDPB”), Andrea Jelinek, issued a statement on the processing of personal data in the context of the COVID-19 outbreak.

The statement made clear that EU data protection law does not stand in the way of the adoption of measures to fight against the Coronavirus pandemic.  However, it stressed that controllers (including employers), as well as governments, should be mindful of a number considerations when adopting measures to fight the pandemic that involve the processing of personal data.


Continue Reading EDPB Chair Issues Statement on Data Protection and COVID-19

Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19.  But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts.  We describe below both privacy implications of disclosing data to government authorities and commercial partners and strategies to manage COVID-19 risk by collecting additional information about employees and visitors, as well as the cybersecurity implications of these outbreak prevention and management efforts.

  • Our professionals around the globe have been advising clients on the privacy risks of disclosing health and other personal data to public health authorities and other government agencies.  As we blogged about here, regulators at many different levels of the Chinese government have been actively collecting personal data to monitor and mitigate the spread of the virus, and that’s now happening across the globe.  Other public health agencies worldwide are requesting information from private companies to assist with containing or mitigating the spread of the virus.  For example, they may seek information about a person’s contacts in order to conduct contract tracing of an infected person.  Although public health agencies generally have broad information-gathering authorities, these laws typically do not overcome privacy laws that restrict disclosures of personal or other sensitive information.  Companies may need to consider how to mitigate these legal risks before responding, particularly where more detailed information is requested.
    Continue Reading Key COVID-19 Issues for Privacy and Cybersecurity Professionals

On March 5, 2020, the Danish Supervisory Authority (“Datatilsynet”) issued a guidance document in which it clarifies how companies should process the personal data of their employees in the context of the coronavirus (“COVID-19”) crisis (see here, in Danish). This follows the publication of a similar guidance by the Italian Supervisory Authority (“Garante”) (see