key: cord-0840432-9fucs5wj authors: Suder, Seili; Siibak, Andra title: Proportionate response to a COVID‐19 threat? Use of apps and other technologies for monitoring employees under the EU data protection framework date: 2021-08-26 journal: Int Labour Rev DOI: 10.1111/ilr.12331 sha: 64ff0ae3e4582ff58b384e50380a32241a60250b doc_id: 840432 cord_uid: 9fucs5wj The aim of the article is to explore potential ways employers could use contact‐tracing apps and other monitoring technologies to mitigate the spread of COVID‐19 and potential concerns in the context of the EU GDPR (General Data Protection Regulation). The analysis indicates that, due to the imbalance of power in the employment relationship, national laws are needed to strengthen employees' ability to reject downloading contact‐tracing apps or similar monitoring technologies after the end of the COVID‐19 pandemic. When the need for such technological means for keeping employees safe has receded, additional regulations and guidance are necessary to prevent future problems, such as function creep, and similar misuse by employers. with using public health surveillance technologies (Klar and Lanzerath 2020; Floridi 2020) . In addition to scholars voicing their concerns about governments offering surveillance solutions (van Kolfschooten and de Ruijter 2020), app users have initiated actions against app developers and health departments due to COVID-19 contact-tracing apps exposing sensitive data of individuals (Davis 2021). Less attention, however, has been paid to employer-employee power relationships and ubiquitous surveillance in workplaces (Yang 2020; Scassa 2021) . The present paper aims to contribute to these discussions by exploring ways in which employers could rely on digital contact-tracing apps and other monitoring tools in the context of the GDPR. The article gives an overview of the use of contact tracing and similar technologies in the workplace used to mitigate the spread of COVID-19 and points out various concerns related to the EU data protection framework (the applicability of the GDPR, legal grounds for data processing, data protection principles, and data protection impact assessment). Mitigating the spread of COVID-19 in a workplace is the responsibility of the employer. The fact that employers must maintain safe workplaces and prevent work-related injuries and illnesses means that employers are also required to limit and, if necessary, track the cases of COVID-19 that arise in work settings. For example, guidance for reopening businesses issued by the White House includes a call for employers to "monitor workers." In deciding how to manage COVID-19 detection and control in a workplace, employers have several options, from the contacttracing apps developed on the national level to various solutions generated on the organisational level. As the chance of becoming infected with COVID-19 increases with prolonged and close contact with an infected person, estimates of distance (proximity) and the duration of contact are important pieces of information to limit the spread of the disease. This information may be gathered using smartphones as they keep track of location (via GPS and WiFi) and use built-in Bluetooth interfaces, allowing for communication and proximity detection with nearby smartphones (Ahmed et al. 2020) . Widespread ownership and the above features have made smartphones ideal for automated contact tracing. The prime function of contact-tracing apps is to exchange information when the phones of two people are close enough to each other and inform individuals if their counterparts during a social interaction were infected with COVID-19 (Azad 2020) . Although the first mobile health apps for public monitoring and surveillance, as well as for improving patient care and health worker safety, were created during the Ebola pandemic in 2014-2016 (Chen et al. 2017; Perscheid et al. 2018; ) , there has been a surge in smartphone contact-tracing app usage during the COVID-19 pandemic (Ahmed et al. 2020; Ravindranath 2020) . For example, almost all of the countries in Europe (except for Bulgaria, Luxembourg and Romania) have launched digital contact-tracing apps (European Commission 2020, "Mobile applications…"). Requiring one's employees to download contact-tracing apps initiated on the state level might thus seem reasonable for employers as such apps are free and widely available in almost every country. Such a requirement, however, would also mean that employees would always need to carry their phones with them at work, with the app running. If an employer mandates that employees use apps, there are several practical issues to consider, for example which device will the app be installed on and, if the app is installed on a personal phone, how will the employer check whether the app has indeed been installed. Employers may pre-install apps on employerissued devices, but they are unable to force their employees to install government-launched apps on their personal devices and have little ability to force employees to actively review-much less use-any information these apps provide. The European Commission (2020, "Mobile applications…") has stated that the use of contact-tracing apps implemented on the national level should be voluntary in EU Member States. Therefore, users have the option not to install the app if it leaks too much personal information. Nevertheless, in many EU countries, there is a concern that contact-tracing apps may still become mandatory if employers require their use as a condition of either returning to work or entering work premises (Scassa, 2021) . Given that it is unlikely that the app would be voluntarily adopted extensively within a workplace, we argue that many employers may want to encourage more active adoption to increase the apps' efficiency. It is likely that many organisations will promote such apps as part of their health and safety strategies and highlight the benefits of everyone using them (Chesler 2020 , Reuters 2021 . Still, not all countries are willing to leave the decision making in the hands of employers. For example, Australia passed legislation that prevents private sector actors from making the use of contact-tracing apps mandatory (Privacy Amendment (Public Health Contact Information) Act 2020 , No. 44, 2020 . In the US employers are permitted to require employees to use a contact-tracing app as a condition of employment (Brown et al. 2020; Bodie and McMahon 2020; ) . In India, the contacttracing app Aarogya Setu has already been made mandatory for government and private sector employees, some of whom need to download the app in order to access their workplaces or in order to get paid (Ghoshal, 2020) . Nevertheless, not all employers see the benefits of government-launched contact-tracing apps. Recently, employees from several organisations (e.g. banks and transport companies) in the UK have voiced their concerns that their employers are putting them at risk when they institute rules which require employees to leave their mobile phones in their lockers or to deactivate their apps while at work, thereby preventing them from using the NHS Covid-19 contact-tracking app. In the majority of cases, such employers justify this demand by claiming that they already have "strict Covid protective measures" in place, and thus see no need for an additional preventive feature (Clements, 2020) . Often these requests have also resulted in "false alerts" that ask people to self-isolate, causing concern and even stress amongst colleagues (Clements, 2020) . For example, according to the NASUWT teachers' union, teachers in the UK are advised either to switch off the app or to disregard any notification to selfisolate (Webber, 2020) . The National Police Chiefs Council in the UK has also confirmed that police officers are being told not to install the NHS Covid-19 app on their work smartphones, and some have also been advised not to obey self-isolate alerts generated by the app when downloaded to their personal phones (Cellan-Jones, 2020). Potential problems with the effectiveness of the app (Klar & Lanzerath, 2020) could be partially solved by making use of some custom-built solutions, i.e. employers have the option of building their own contact-tracing apps, sourcing one from app developers, or subscribing to workplace contact-tracing systems offered by private companies. Some of these employer-based tracing apps help employers track possible virus exposures in work premises by collecting data on workers' locations, movements and proximity to others (e.g. Shield for Business by Onspota, or the Employee Contact Tracing Tool by Kronos). For example, Siemens has a contact-tracing tool that monitors where infected employees have been, whom they have come into contact with, and on which floors of an office they may have spread the virus. In addition to identifying potential exposures to the virus, the system can also be used to decide which rooms need deep cleaning and where to institute social distancing rules (Chesler 2020) . Several banks, for example, use strategies in which rotating shifts of people pass through buildings on different days, without clustering in the same areas, to avoid spreading COVID-19. For this purpose, JP Morgan, HSBC and Deutsche Bank plan to launch reservation apps and online systems that use algorithms and artificial intelligence to book seats. Apps such as these can use card-swipes at security turnstiles to identify patterns and suggest when someone should book a desk. Furthermore, the data can tell companies when an office, or whole floor, is empty to determine when to turn off lights, cancel janitorial services or downsize office space (Reuters 2021) . Apps may also be set up to activate and start contact tracing only within a certain GPS coordinate and conversely to stop once outside those coordinates (Watkins 2021) . For example, such apps as Blip generate a geofencea virtual boundary -that detects when an employee enters and leaves an area. The app registers a signal from the worker's phone, so the employer can tell whether an employee is on site and how many hours that person has worked. It only registers an employee's location when they enter and exit the geofence and does not track their specific movements (Johnson 2021 ). In addition, a very diverse set of technologies (Del Castillo, 2020) which gather various amounts of different data are being developed and marketed to employers (Scassa 2021) . For example, some employer-focused COVID-19 technologies are based on questionnaires (e.g. COVID-stop Manager by HeBA), while others focus on physical distancing (e.g. Covid Radius by Rombit). Often these technologies utilise workers' health data and enable employers to gather specific information on infected employees (e.g. Infectious Disease Tracking Tool by Vivid Learning Systems). In these cases, employees are usually asked to self-report their health symptoms and status (Adams 2020) and the system generates workers' risk levels based on their responses (KMWorld 2020). For example, organisations can implement the QR code-based check-in app hPass, which requires an individual to pass a symptom quiz before entering a facility, or make use of the app SaferMe (Haskins, 2020) , which uses the Bluetooth and GPS features of employees' smartphones to automatically record close contacts between staff and lets them manually enter details of other people (e.g. clients they come into contact with). The SaferMe app also prompts staff to report on their health each day and if any report This article is protected by copyright. All rights reserved. symptoms the app will generate alerts showing the work colleagues they have directly or indirectly encountered. Other apps, such as the Oura Ring, may record body temperature, resting heart rate, respiratory rate and other health-related elements, and not only alert employees to changes in their biometric measures, but also predict the illness, as an increased respiratory rate may indicate possible COVID-19 infection (Eckel 2021 ). In addition, employers may also purchase different wearables that conduct contact tracing (e.g. wearables developed by Estimote). Some of these use location-tracking and proximity sensors and allow employees to change their health status in the system. This information is sometimes stored in a health dashboard that provides detailed logs of possible contacts that are available to the employer (Etherington 2020) . In other cases, employees may wear a sensor that is designed to inform them of risks immediately (i.e. by flashing, vibrating and escalating to auditory alerts) if people walk too close to one another. Some manufacturers, for example in Germany and in the US, are making use of sensors operating within bracelets or clipped to pockets that notify people when they get too close to another employee (As workplaces …, 2020). If an employee tests positive for Covid-19, the employer can see who they have been in contact with by looking at sensor data (Towers-Clark 2020). Lanyards which track the employee's proximity to readers placed beside door thresholds, soap dispensers and sinks can also be used. These devices enable employers to record when workers enter and exit rooms and whether they have washed their hands (Bittle 2020) . Other potential options for employers are to use already existing tracking or surveillance technology for contact-tracing, i.e. employers may repurpose such technologies as cameras and digital badges for health and safety purposes to monitor where employees have been and with whom they may have had contact. For example, badges that allow access to workplaces can be used to determine who might have been in a specific room at the same time as an infected person. Some employers are also integrating artificial intelligence software into existing security cameras that can count bodies in a room, track employee compliance with social distancing and mask-wearing regulations, and send alerts when employees are not practising social distancing (Reuters 2021 , Dave, 2020 . Employers may also combine different technologies used in a workplace to access multiple data sources and gain comprehensive insight across an entire company to reduce virus transmission. Considering that the power imbalance in the employment relationship makes it easier for employers to mandate that workers use apps or other technologies for health and safety purposes, contact-tracing is easier to aply in a workplace. Hence, the use of This article is protected by copyright. All rights reserved. different technical solutions may help employers create effective contact-tracing programmes, and reinforce social distancing practices as part of a digitised work environment. However, this leads to an inevitable increase in surveillance in the workplace; despite being accepted at the time of a crisis, such technological tools can be problematic in a post-pandemic work environment. Thus, although it may prove to be easier to implement mandatory COVID-19 surveillance technologies in the workplace, the use of such technologies could lead to significant privacy, ethical and human rights issues (Luciano 2020; Scassa 2021) . Furthermore, each of these technologies present country-and region-specific challenges from a data protection and employment law perspective. As the European Union has one of the newest and most substantial data protection frameworks in the world, the next section concentrates on the EU General Data Protection Regulation, which sets forth the main requirements to protect individuals whose data is collected for the purposes of limiting COVID-19 spread. Present scholarship (e.g. Guinchard 2020) is mainly concerned with the fact that there will not be adequate safeguards to deal with the huge data trove created by the use of contact-tracing apps. The primary concern of scholars (e.g. Ahmed et al. 2020 ) is the extent to which the apps can be re-purposed to track their users, and how the collected data may be used when the current pandemic ends. Vitak and Zimmer (2020) even argue that governments must look beyond nearterm privacy-preserving steps taken by some of the app developers (such as Google and Apple), and seriously reflect upon possible future impacts these technologies may have on broader moral and political values. The above concerns are also the reasons why regulators, national data protection authorities and scholars have started to issue guidelines and recommendations to app developers and content creators to improve the development of their products in terms of security and privacy (The Centers for Disease Control and Prevention 2020; The European Commission 2020, "Communication from…"; Azad et al. 2020 ). In addition, the European Data Protection Board (EDPB) has adopted guidelines within the EU on the use of location data and contacttracing tools in the context of the COVID-19 pandemic (EDPB2020, "Guidelines 04/2020..."). This article is protected by copyright. All rights reserved. Far less attention within the EU has been paid to workplace settings where employers are readily using contact-tracing technologies to mitigate the spread of COVID-19. Therefore, given the increased workplace surveillance through contact-tracing technologies, it is also necessary to analyse if the GDPR is up to the challenge in the employment context. The issue is even more relevant as the advice given by the EDPB concerning contact tracing in the workplace has been quite general (European Data Protection Supervisor 2020). During the COVID-19 pandemic, the GDPR has been both praised and criticised in regard to contact-tracing apps. For example, Labour MP and the chair of the Joint Committee on Human Rights, Harriet Harman, has branded the GDPR wholly inadequate for ensuring the security and privacy of data collected by the government's COVID-19 contact-tracing app (Scroxton, 2020) . Scholars, however, have stated that the EU data protection legal framework was designed to be sufficiently flexible to allow for both an efficient response in limiting the pandemic and for protecting fundamental human rights and freedoms (Kędzior 2021; Bradford, Aboy and Liddell 2020) . In the following sections, we will concentrate on analysing different data protection issues that are relevant when making use of different contact-tracing solutions at work locations in the EU. If the employer processes employees' personal data collected through contact-tracing technologies within the EU or European Economic Area, compliance with the GDPR needs to be considered. Tracing apps and other technologies intended for use within the EU or in the European Economic Area need to follow the GDPR. For the GDPR to be applicable, an employer's activities need to amount to the processing of employee's personal data. Personal data in the GDPR is defined as "any information relating to an identified or identifiable natural person" (GDPR Article 4(1)). Therefore, in order for the GDPR to be applicable, apps have to provide information that is linked to an employee and can, on its own or combined with other information, lead to the identification of that employee. In the case of contact-tracing solutions, the question of personal identifiable data can be crucial, as due to different types of technology, an employer may or may not have access to personal data. The applicability of the GDPR depends on what data is accessible to the employer and in what form the data is collected and stored. This article is protected by copyright. All rights reserved. Contact-tracing and other technologies that mitigate the spread of COVID-19 gather a variety of data. More conventional personal data that might be involved include identity data: the user's name, address, gender, contact details, etc. Contact-tracing apps and other technological solutions may also process health data (e.g. whether the user has tested positive for the virus or not) and location data or social/proximity graphs that indicate interactions between users and the people they came into close contact with (Ahmed et al. 2020) . For example, Onspota's Shield For Business app enables organisations to define what employee data are collected for the purpose of identifying that worker. Some companies ask that employees be identified by name and phone number, while other companies want their employees identified only by a number. Employees are notified on the app if they have met someone who has tested positive for coronavirus, but only by their location and time, not by their name. Only employees working within the organisation are notified (Shemer 2021) . Employers may also receive general information, such as a risk analysis of a specific room or workplace (e.g. the location of users with positive COVID-19 test results that show high-level hotspots for COVID-19 infections) and the overall health status of the workforce (e.g. which departments are experiencing COVID-19 symptoms). A contact-tracing system may also record the presence of a person in a specific room every day and from there it is easy to determine who the person is. Thus, when tracing technologies are used to monitor location and if the traced employee is performing her tasks in a specific workplace, it is also possible that, through an analysis of the employee's movements, her identity will be determined. Therefore, we argue that different technological solutions can collect personally identifiable information that is available to the employer (specifically if the app/wearable has been developed in collaboration with an employer or has been sourced specifically for contact tracing in a workplace) and trigger the applicability of the GDPR. However, depending on the user or the architecture and salient features of the app (cf. Azad et al. 2020 ), employers may not receive personal information on employees. For example, some contact-tracing apps using Bluetooth technology broadcast anonymous "chirps" or "keys" on a phone. These keys change frequently, possibly every few minutes. If two phones running an app come in close enough contact for a long enough period of time, the two phones exchange keys (Brown et al. 2020) . Scholars have analysed whether these unique identifiers, although encrypted, could also be linked to a particular person and most likely meet the GDPR definition This article is protected by copyright. All rights reserved. of personal data (Bradford, Aboy and Liddell 2020) . However, unless employers receive these unique identifiers, the applicability of the GDPR is not triggered. Therefore, a more privacyfriendly option is to use a COVID-19 tracing app in which a randomly generated identifier is assigned to the user that does not reveal any personal information. Furthermore, the app should only scan and send data to its servers, and not to any other destinations (Watkins 2021). In the context of the GDPR, the concepts of controller, joint controller and processor are crucial since they determine who is responsible for compliance with different data protection rules, and how data subjects can exercise their rights (Bradford, Aboy and Liddell 2020) . To ensure accountability, the controller of any contact-tracing application should be clearly defined. If employers opt to use their own technology as opposed to government-initiated apps, they will most likely be the controllers of the app and have greater data protection responsibilities in respect to any data generated by the app. For example, a spokesperson for the U.K.-based contact-tracing app maker BrightHR has indicated that although the app collects data that data "belongs to the customer organization", i.e. the company using the app, and is thus subject to the company's own policies (Johnson 2021) . As a controller, the employer has to follow the rules of the GDPR (e.g. have legal justification for data collection, and follow the principles of data processing). For example, the controller has to choose processors (i.e. app developers) who can demonstrate compliance with data protection by design. Thus, employers should have data processing agreements in place with the providers of contact-tracing apps if they are holding or have access to data collected via the app on behalf of the employer (including an obligation to ensure that data is kept safe and secure by app providers). Hence, collaborations between app developers and employers need to respect the rules set out in the GDPR (e.g. Article 28 of the GDPR). Unfortunately, the roles of controller and joint controller are not always clear-cut if an employer uses contact-tracing technologies that are developed by the government or by large This article is protected by copyright. All rights reserved. corporations and that are meant for wider use. In the case of government-launched applications, national health authorities should be the controllers of personal data, as they determine the purposes and means of data processing. However, other controllers are also possible. If the deployment of contact-tracing apps involves different actors, their roles and responsibilities must be clearly established from the outset and be explained to the users (EDPB2020, "Guidelines 07/2020…"). For example, employers may wish to make use of government-launched contacttracing apps to assure the health and safety of their workers and clients. One way of doing this is to ask employees whether they have the app installed on their smartphones and, if so, what their status is (i.e. if they have received an infection alert). We argue that the extent of an employer's responsibility for privacy in relation to such apps depends on the role the employer plays. If the employer is relying on its employees to voluntarily pass on relevant information generated from government-launched contact-tracing apps, they are probably not the controllers of the data in the definition of the GDPR as they do not determine the purposes and means of the processing. However, in our opinion, the role of employers inevitably becomes more complicated if they insist on workers downloading and using government apps for workplace safety. In this case they take a more active role by determining the purpose and means around the processing and, therefore, become controllers within the definition of the GDPR. To have clarity concerning this question, we recommend that the EDPB guidance on the concept of controllers, processors and joint controllers (EDPB 2020, "Guidelines 07/2020…") be reviewed, and if employers start to mandate the use of government contact-tracing apps in a workplace, joint controllership responsibilities need to be considered. Most of the data protection authorities within the EU stress that under employment law employees are obliged to inform the employer if they suspect exposure to the virus, have been diagnosed with COVID-19 or are a threat to others in the workplace (Suder, 2020) . Some data protection agencies also suggest that employers raise awareness and invite employees to provide information to the employer regarding possible exposure (Suder, 2020) . Therefore, in most EU nation states an employer should be able to ask employees to disclose if they have received an exposure alert from a contact-tracing app. In this case, the employer must rely on employees' This article is protected by copyright. All rights reserved. self-declaration of exposure to infection. We argue that, although experts and data protection agencies (see the Information Commissioner's Office 2020) in the EU mostly state that it is advisable to use contact-tracing technology on a voluntary basis, nothing in the GDPR prohibits employers from using this technology if they have legal grounds for data processing and follow the principles of data protection. In our opinion, employers may therefore strongly encourage or require employees to download and use relevant apps to reduce the spread of the virus. This will likely require an occupational health and safety risk assessment which indicates that a measure, e.g. use of an app, would help to safeguard the workforce and customers within the workplace. Contact-tracing apps should also complement other measures taken to help reduce the spread of the virus. The EDPB declares ("Guidelines 04/2020…") that location data collected from electronic communication providers (e.g. app developers) may only be processed in accordance with the ePrivacy Directive (Articles 6 and 9). This means that such data can only be transmitted to authorities or other parties (e.g. employers) if they have been anonymised by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users. For this reason, contact-tracing apps should not collect data without the end user's consent. However, the mere fact that the use of contact-tracing applications takes place on a voluntary basis does not mean that consent is necessarily the legal basis for data processing at work (European Data Protection 2020, "Guidelines 04/2020…"). Employers, therefore, need a lawful basis to justify data processing (whether they are processing location data or other personal data) under the GDPR. Personal data processing is allowed only under the exhaustive list of legal conditions mentioned in the GDPR (Article 6). These conditions are relevant because they represent a precondition for employees' personal data processing and render the processing unlawful if not directly complied with. Possible legal justifications that employers may use during have been suggested by the EDPB, national data protection authorities and researchers (Suder 2020 ; German Data Protection Supervisory Authorities…; The Hungarian National Authority for This article is protected by copyright. All rights reserved. According to the EDPB, the GDPR provides several legal justifications for companies to process personal data during the COVID-19 pandemic without the consent of the data subjects (Jelinek, Andrea 2020) . Employers may process employees' personal data if it is necessary for compliance with their "legal obligation" (e.g. obligations relating to health and safety at the workplace) or necessary for the "public interest" (e.g. the need to control a disease and limit threats to health). As these legal justifications need to be laid down by European Union or Member State law, the EDPB also reminds employers that they are allowed to process personal data in accordance with national law (EDPB, 2020 "Statement on the…"). For example, in the UK it is a legal requirement for certain organisations to collect customer, visitor and staff contact details for contact-tracing purposes (Information Commissioner's Office 2020). Employers may also process employees' data if it is "necessary for the purposes of the legitimate interests pursued by the controller." (Art 6(1)(f) GDPR) However, in this case, organisations need to perform interest evaluation tests to verify whether the interest linked to the purpose to be achieved through data processing overrides the rights, freedoms or legitimate interests of the employee. Research shows that the collection of employee data during the COVID-19 pandemic should be aligned with employees' individual interests in their well-being, so it is unlikely that there will be overriding compelling individual rights that invalidate the processing (Suder, 2020) . In addition, "vital interest of the data subject or another natural person" is another possible legal basis mentioned by the EDPB and EU data protection agencies (Jelinek, Andrea 2020; German Data Protection Supervisory Authorities). The Recital (46) of the GDPR also recognises that in exceptional situations, such as an epidemic, the legal basis for processing activities can be "vital interest" (Art 6(1)(d) GDPR). It can be argued that the basis should be interpreted in the broadest possible way to justify the "processing of personal data aimed at protecting all those persons susceptible to being infected in the spread of an epidemic", such as employees and clients at a workplace (La Agencia Española de Protección de Datos 2020). However, others have been hesitant to use "vital interest" as a legal basis for data processing during the COVID-19 pandemic, as the use of this justification should take into consideration the real circumstances in a country or a region and, among other factors, look at infection rates among the population (L'Autorité de protection des données 2020). If the personal data falls within the category of health data (e.g. symptoms of COVID-19, or notification of a possible exposure to the disease), a further condition under the GDPR must be satisfied (Article 9). Employers may process an employee's health data only in exceptional cases, as health data fall into special categories of personal data and require specific protection. Guidance provided by the EDPB and national data protection agencies, however, indicates that even if the processing of health data is only possible in a restrictive manner, such data can still be processed to protect one's employees. Employers are granted such a right in the case of substantial "public interest in the area of public health", on the basis of European Union or national law (European Data Protection 2020, "Guidelines 04/2020…"). Employers may rely on this condition to justify the processing of health data related to the coronavirus if they are executing explicit instructions and acting on the advice of competent authorities (L'Autorité de protection des données 2020; The Data Protection Commission 2020; La Agencia Española de Protección de Datos 2020). Most of the data protection agencies in the EU (see Suder 2020; Datenschutzbehörde, 2020) , however, suggest that employers may process health data if the processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment in so far as this is authorised by European Union or Member State law. In this case, the authorisation comes from the employer's obligation to protect employees against occupational hazards and to take necessary measures to ensure a safe working environment. Furthermore, the processing of health data is also lawful when the employee makes the data public. For example, when an employee voluntarily publishes that they have COVID-19, processing such data by the employer is lawful. However, we believe it needs to be stressed that telling a few colleagues about one's illness is not the same as making the information public, and employers need to take this into consideration. As is evident, employers have several possible legal justifications for processing employees' personal data (e.g. health data) maintained through the use of different technologies implemented in the workplace. However, in our opinion, the large number of possibilities causes confusion. It seems that employers in different nation states within the EU have several ways to process employees' data, but national data protection authorities and the EDPB have only provided general guidance on the topic. Despite different legal bases suggested by these authorities, employers still seem to prefer the "easiest option" for data processing: consent of the employee. However, this legal basis is fraught with potential hurdles that are discussed in the next chapter. One way to introduce contact-tracing apps in the workplace is to obtain freely expressed consent from employees. However, scholars have argued that consent is meaningless in circumstances where a data subject requires a certain benefit (Belli, Schwartz and Louzada 2017) and due to the imbalance of power that exists in the employment relationship consent is likely to turn into an empty and ritual process (Padi 2018) . In accordance with the GDPR, consent "should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment" (GDPR Recital 42). Therefore, the employer should not be given the opportunity to use its position to pressure employees into agreeing to download contact-tracing apps. Still, the GDPR does not prohibit the use of consent in the employment relationship (Article 29 Data Protection Working Party 2017). However, it is up to the employer to demonstrate that such monitoring is freely consented to. If consent is used as a legal basis for downloading contact-tracing apps, it should be restricted to situations where the employee is genuinely able to exercise free choice without any negative consequences (Article 29 Data Protection Working Party 2017). Under the GDPR, when assessing whether consent is freely given, careful consideration should be given to whether, inter alia, the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract (Article 7(4)). This provision anticipates an employment situation in which an offer is made on a "take it or leave it" basis (Mangan 2018) . Employment should never be made contingent on a willingness to download a contact-tracing app. If the employee refuses to download an app, dismissal upon these grounds could be judged unlawful. However, we have to take into consideration the fact that refusing consent is often complicated in an employment relationship. For example, refusing a key card that is used for contact-tracing can be difficult if the same card also gives access to the premises. Therefore, employers should offer different options for employees to mitigate the risk of COVID-19. For instance, Onspota's team, which developed the Shield for Business app, also offers employees who do not consent to using the app an alternative solution, involving scanning various QR codes across the factory floor (Shemer 2021) . Sometimes, it is also difficult to refuse consent, i.e. refusing is seen as somehow "abnormal" (Poullet 2009 ). For example, colleagues who have downloaded the app can set a trend for others, thus decreasing scepticism towards the technology (Gauttier 2019) and generating a culture where employees are expected to endorse this solution. We argue that the widespread use of apps, peer pressure and different affordances provided by the app and the infrastructure in a workplace act as triggers for the adoption of contact tracing and thus can have an impact on the quality of the consent given by the employee. As a consequence, employees may not have the possibility of making a calculated and rational decision about contact tracing and may be pressured to agree with solutions offered by the employer. Also, voluntary contact tracing requires informed consent. Consent needs a clearly defined scope of action, i.e. consenting employees need to have relevant information so that they know what they are consenting to (Mitrou 2019) . However, in the case of contact tracing an informed decision is hard to make. Informed consent should include proper knowledge of the use of the data from the app, the placement of possible sensors that trace employees' movements and whether the data received from the app is combined with other data. Furthermore, attempts to meaningfully inform employees may be inadequate. Research suggests that highly technical, long and complex privacy notices or policies often fail to inform data subjects about the true nature of data processing practices (Special Eurobarometer 359 2011) . Even in the case of organisational guidelines and policies, employees may still not be sufficiently informed to give informed consent (Suder and Siibak 2017) . Often, such policies do not provide clear information about what data is collected, for what purposes, how the data is analysed, and which decisions result from the analyses (Solove 2013) . Also, in an effort to avoid liability and to consider the future use of the data, it is foreseeable that employers may draft vague privacy policies to cover any unforeseen eventuality of processing (Padi 2018) . We argue that consent gathered by such privacy notices and policies is meaningless as broad and vague information fails to genuinely inform the employee about all aspects and consequences of contact-tracing technology. Furthermore, as employers do not usually develop apps themselves, they often do not know much about how the data is collected, stored, shared or used (Johnson 2021) , and hence are not able to communicate this information to their employees. The deployment of new applications and the intensified use of existing technologies to tackle the COVID-19 pandemic also enhance the need to revisit the data protection principles of the GDPR (GDPR Article 5). Researchers have indicated that these principles are key to the successful deployment and adoption of these technologies (Newlands et al 2020) . Also, the majority of the EU data protection agencies (see The Hungarian National Authority for Data Protection…) emphasise the importance of general principles of data processing in the context of COVID-19. This section looks at a few of these principles as they have vital importance concerning contacttracing apps. If an employer uses contact-tracing technologies, any personal data should be used for specific purposes and these purposes should be communicated to employees. The precise purpose(s) will depend on the functionalities of the app. Therefore, purposes for data processing must be specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis (e.g. to monitor the behaviour and performance of employees). Examples of illegitimate further processing include using cameras to prevent the spread of COVID-19 in the workplace, and repurposing them afterwards to monitor how employees are performing, how much time they are spending at their work stations, which colleagues are holding meetings, etc. In our opinion, the concern is that contact-tracing apps will increase the amount of data generated in the workplace environment. This may lead employers to use technologies for purposes other than originally planned and lead to illegitimate further processing of workers' data, generating the risk of "function creep" and the use of data purposes unintended by the data subject. For example, the data first used for contact tracing could potentially be later used to check employees' attendance and use of work and break time (c.f. Johnson 2021) . Due to these concerns, both EU data protection agencies (see the German Data Protection Supervisory Authorities…) and researchers (Gasser et al. 2020 ) have emphasised that digital infectious disease surveillance and related measures need to cease at the end of the pandemic, and any personal data collected to combat the COVID-19 pandemic must be deleted once it no longer serves the purpose for which it was collected, i.e. when the pandemic has ended or is sufficiently contained. This means, for example, that a contact-tracing app should be discontinued once the pandemic has ended and stored personal data should be destroyed. Also, some authorities managing tracing apps have indicated that the app data collected will be removed once the system is de-activated at the end of the pandemic (Ahmed et al. 2020 ). However, "end of the pandemic" is a vague term. There is no clear knowledge of what will happen to technologies used in a workplace after the virus has receded. The European Commission has emphasised that contact-tracing apps should collect the minimum amount of data required (European Commission 2020, "Mobile applications…"). According to the EDPB, a contact-tracing application should not collect unrelated or unnecessary information, e.g. contact-tracing apps do not require tracking the location of individual users and can instead use proximity data (EDPB 2020, "Guidelines 04/2020..."). Similarly, data processed from contact-tracing apps by the employer should be strictly limited. However, studies (Azad et al. 2020) indicate that a number of contact-tracing apps request permission which may not be required for the successful operation of the app's function (e.g. access to storage media, cameras and microphones). It is also important to note that we live in a digital ecosystem where many of the innovative digital technologies individuals use have been developed in direct opposition to the core legal principles of data protection. Instead of limiting data processing to what is needed to provide a service, a number of businesses collect as much data as possible. Many of the health apps violate the GDPR by collecting far too much data for too long, without transparency, and without securing the data (Guinchard 2020) . It is therefore essential that contact-tracing apps used in a workplace do not follow similar practices. As evident from the above, there has been a lot of discussion concerning different data protection principles. However, one principle in particular -the principle of fairness -seems to be forgotten in wider discussions. In order to ensure fair and transparent processing in respect to the employee, the employer should also take into account the specific circumstances and context in which personal data are processed (GDPR recital 60). Researchers have indicated that the appropriateness of sharing data with third parties (e.g. employers) to support public health in the context of COVID-19 is contextually dependent (Vitak and Zimmer 2020) . Vitak and Zimmer (2020) argue that if we ignore this contextual integrity we risk the long-term loss of autonomy and growing function creep across a wide range of technologies. Therefore, we argue that it is crucial that employers handle employees' personal data related to contact-tracing technologies only in ways the employees would reasonably expect and not use the information in a manner This article is protected by copyright. All rights reserved. that unjustifiably has a negative effect on employees. In our opinion, the harm that may arise as a result of employers seeking information through contact-tracing apps can result in "informational injustice" (Hoven and Weckert 2009), i.e. information presented in one context being used in another. For example, employees might be comfortable with data from contacttracing apps being shared with health authorities or their health providers, but they may feel that sharing data with employers is inappropriate. Also, while individuals are comfortable sharing their location with an app developer to receive contact tracing services, having that data flow to employers for long-term monitoring of their movements might not be acceptable to them. Hence, we argue that employers need to consider the role of context when monitoring employees and refrain from any unjustified activities (e.g. dismissing employees if they refuse to download a tracing app). Researchers have emphasised that compliance with data protection laws is not a box-ticking exercise to be undertaken after the digital technology has been developed (Guinchard 2020) . Data protection by design requires both controllers and processors to ascertain potential privacy risks before the app is rolled out, not afterwards. In the case of high-risk processing, such as health data processing, data protection impact assessments (i.e. processes to identify data protection and privacy risks and address them accordingly) have become mandatory, so as to mitigate risks and, if mitigation is not possible, to decide whether the processing should be pursued at all (GDPR Article 35; Maddocks 2020). Similarly, the EDPB has stated that a data protection impact assessment must be carried out before implementing contact-tracing tools as the processing is considered likely to be high risk (health data, anticipated large-scale adoption, systematic monitoring and the use of new technological solution) (Article 29 Data Protection Working Party 2017, "Guidelines on …). Furthermore, the EDPB also strongly recommends the publication of these assessments. However, not all contact-tracing apps are accompanied by an impact assessment nor is an impact assessment readily available (Ahmed et al. 2020) . Also, there is little information as to whether employers who encourage or mandate employees to download these apps have read the assessment made by the app's developer or have even determined whether the developer has an assessment. Furthermore, if the employer uses contact tracing in the workplace, an impact assessment is required. For example, systems that track interactions between individuals and locations within a work site and make that information available to human resource departments or the person managing the system require a detailed data protection impact assessment to identify potential privacy risks. There have been a lot of discussions concerning government-developed contact-tracing apps during the COVID-19 pandemic. There should also be great concern about the possible actions of employers. The use of contact-tracing technologies is one way to protect health and safety in the workplace and helps to minimise absence due to illness. Therefore, while a contagious and deadly disease is spreading, worker safety must be paramount and the use of contact-tracing apps and similar technologies may be crucial in dealing with contagious and possibly deadly diseases, and is justified in dealing with COVID-19. However, employers should have legal justification for such data processing, avoid function creep, have strong data minimisation and destruction policies, and ensure full harmony with other data protection principles (such as fairness and transparency). Later, when the pandemic is over, there are concerns, such as invasive surveillance and further use of these technologies, that also need to be addressed. The GDPR is broad legislation and provides the rules for the processing of personal data in dealing with such problems as COVID-19. Indeed, the GDPR provides the legal basis to enable employers to process personal data during epidemics. However, due to the complex and vague rules related to consent in the GDPR, contact-tracing technologies are likely to expand without clear direction, which may further deteriorate employee privacy protections in the future. After the crisis of COVID-19 is over and workplaces start to return to normal, employees and employers would benefit from a clear and stable approach concerning contact tracing in the workplace. Due to the imbalance of power between employers and employees, national laws are needed to strengthen employees' ability to reject downloading contact-tracing apps or similar technologies and to provide specific rules if such technologies continue to be used after the COVID-19 pandemic. When the actual need for the technology to keep employees' safe has ended, regulations and guidance should prevent future harm and misuse by employers. This article is protected by copyright. All rights reserved. PRA Health Sciences unveils COVID-19 monitoring app to track symptoms A Survey of COVID-19 Contact Tracing Apps COVI White Paper A First Look at Privacy Analysis of COVID-19 Contact Tracing Mobile Applications Opinion 2/2017 on data processing at work Guidelines on Data Protection Impact Assessment (DPIA) Selling Your Soul While Negotiating The Conditions: From Notice And Consent To Data Control By Design Your Boss Wants to Know Whether You Washed Your Hands". Slate Employee Testing, Testing, Tracing, and Disclosure as a Response to the Coronavirus Pandemic COVID-19 Contact Tracing Apps: A Stress Test for Privacy, the GDPR and Data Protection Regimes Built to last? The sustainability of healthcare system improvements, programmes and interventions: a systematic integrative review This article is protected by copyright. All rights reserved Can you require employees to download contact tracing apps? May an Employer Require Its Employees to Use a Contact Tracing App? Preliminary Criteria for the Evaluation of Digital Contact Tracing Tools for COVID-19 Coronavirus will turn your office into a surveillance state Reality Mining: A Prediction Algorithm for Disease Dynamics Based on Mobile Big Data Police told not to download NHS Covid-19 app Transport for Wales is telling staff to turn off the NHS' contact tracing app Companies bet on AI cameras to track social distancing, limit liability". Reuters Information der Datenschutzbehörde zum Coronavirus (Covid-19 Covid-19 contact-tracing apps: how to prevent privacy from becoming the next victim Estimote launches wearables for workplace-level contact tracing for COVID-19 How the Oura Ring health-monitoring wearable may help make returning to the office safer Communication from the Commission Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection 2020/C 124 I/01 Mobile applications to support contact tracing in the EU's fight against COVID-19 Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Guidelines 07/2020 on the concepts of controller and processor in the GDPR Statement on the processing of personal data in the context of the COVID-19 outbreak Orientations from the EDPS. Reactions of EU institutions as employers to the COVID-19 crisis Digital tools against COVID-19: Framing the ethical challenges and how to address them I've got you under my skin -The role of ethical consideration in the (non-) acceptance of insideables in the workplace Datenschutzrechtliche Informationen zur Verarbeitung von personenbezogenen Daten durch Arbeitgeber und Dienstherren im Zusammenhang mit der Corona-Pandemie This article is protected by copyright. All rights reserved Open book? In India, where people are forced to download a tracking app to get paid, journalists are worried about it also being used to access their contacts Our digital footprint under Covid-19: should we fear the UK digital contact tracing app? Workers Around The World Are Already Being Monitored By Digital Contact Tracing Apps Hungarian National Authority for Data Protection and Freedom of Information Towards a seamful ethics of Covid-19 contact tracing apps ILO Monitor: COVID-19 and the world of work Maintaining records of staff, customers and visitors for contact tracing purposes Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak School custodian refuses to download phone app that monitors location, says it got her fired The right to data protection and the COVID-19 pandemic: the European approach Civil liberties or public health, or civil liberties and public health? Using surveillance technologies to tackle the spread of COVID-19 The Ethics of COVID-19 tracking apps -challanges and voluntariness Pegasystems creates free app to track COVID-19 employee exposure Impact of Delays on Effectiveness of Contact Tracing Strategies forCOVID-19: A Modelling Study Report from the State Legal Service (Detached Department of the SLS at the Spanish DPA) on Processing Activities Relating to the Obligation for Controllers from Private Companies and Public Administrations to Report on Workers Suffering from COVID-19 COVID-19 et traitement de données à caractère personnel sur le lieu de travail Mind the App-Considerations on the Ethical Risks of COVID-19 COVIDSafe Application Privacy Impact Assessment Online Speech and the Workplace: Public Right, Private Regulation The fun-damental limitations of COVID-19 contact tracing methods and how to resolve them with a Bayesian network approach Data Protection, Artificial Intelligence and Cognitive Services: Is the General Data Protection Regulation (GDPR) 'Artificial Intelligence-Proof Innovation under pressure: Implications for data privacy during the Covid-19 pandemic The COVID-19 Contact Tracing App in England and 'Experimental Proportionality Coronavirus opens door to company surveillance of workers Big data analytics, consent and the European Union (EU) General Data Protection Regulation 2016 (GDPR) -The fallacy of consent and control Ebola Outbreak Containment: Real-Time Task and Resource Coordination with SORMAS Data protection legislation: What is at stake for our society and democracy? Apps Gone Rogue: Maintaining Personal Privacy in an Epidemic As employees return to the office, banks explore surveillance tech Digital contact-tracing adoption in the COVID-19 pandemic: IT governance for collective action at the societal level COVID-19 Contact Tracing: From Local to Global and Back Again GDPR wholly inappropriate to govern contact-tracing data This article is protected by copyright. All rights reserved Could A New Israeli App Help Tackle COVID-19 Tracing In the Workplace Attitudes on Data Protection and Electronic Identity in the European Union Processing employees' personal data during the Covid-19 pandemic Employers as Nightmare Readers: An Analysis of Ethical and Legal Cocerns Regarding Employer-Employee Practises on SNS Privacy Self-Management and the Consent Dilemma. 126 Harvard law Review 1880 Guidlines Opening Up America Again Is Contact-tracing A Public Or Private Concern? Information Technology and Moral Philosophy COVID-19 and privacy in the European Union: A legal perspective on contact-tracing More Than Just Privacy: Using Contextual Integrity to Evaluate the Long-Term Risks from COVID-19 Surveillance Technologies General comment No. 14: The right to the highest attainable standard of health Security and Privacy of COVID-19 Contact-Tracing Apps COVIDSafe, Australia's Digital Contact Tracing App: The Legal Issues Teachers told to disable NHS contact-tracing app, claims union Contact tracing in the context of COVID-19: interim guidance Workforce Survival: Tracking Potential COVID-19 Exposure Amid Socioeconomic Activities Using Automatic Log-Keeping Apps Peer-to-peer contact tracing: Development of a privacy-preserving smartphone app