Can employers force vaccinations?
Under GDPR, employers can ask whether an employee has been vaccinated, but they cannot generally request that employees get vaccinated. However, special considerations may be needed depending on the type of work that will be carried out. In certain jurisdictions, there is no definitive right for employers to mandate a vaccine, but the law stipulates that they must consider several factors, including the industry or sector in which they operate and whether such a condition would be reasonable.
Several jurisdictions, for example, indicate that health care workers could reasonably expect to be obliged to obtain vaccinations. Only a few jurisdictions report that the employer may bear the burden of funding the vaccine directly; it is more likely that, according to government policy to promote mass vaccination, employers will be obliged to allow employees paid leave to attend public health centers to be vaccinated. The Global EY Return to Office Tracker navigates the existing legal framework in more than 60 jurisdictions.
Generally, employees cannot be dismissed on the basis that they refused to get vaccinated, but this could change if a statutory vaccination requirement is introduced.
Increased data subject access requests
Many are expecting a spike in data subject access request (DSAR) submissions due to the widespread use of furlough schemes and the mass redundancies that have been taking place due to the pandemic.
While there may be significant differences in approach across jurisdictions, the EY Labor and Employment Law Tracker provides a current snapshot of legal considerations with regard to employer rights and obligations, government furloughs, and incentive schemes as well as relevant topics of workforce transformation.
Technology plays a significant role in DSAR intake and identity verification, data redaction, data encryption for secure delivery and case management. Carefully selecting technology solutions for each part of the process will provide quick turnarounds to comply with regulatory deadlines, reduced cost and increased scalability.
While technology offers solutions to privacy topics including DSARs, respondents to the 2021 Global EY Law Survey ranked data privacy and cybersecurity risks as “8 out of 10” compared to the other risks facing the organization in the next 12 months. This indicates that many organizations are still facing issues finding the right strategy to deal with privacy compliance and risk management.
Transferring employee data post-Schrems II
If employee personal data needs to be transferred and processed across borders, additional considerations come into play. The recent Schrems II decision (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems1) by the European Court of Justice deemed the EU-US Privacy Shield to be an inadequate mechanism to enable data transfers to the US under EU law as it doesn’t provide an adequate level of protection.
This decision has impacted numerous businesses that conducted transatlantic trade solely on the basis of this adequacy decision and were instructed to immediately terminate processing personal data and institute another approved transfer mechanism, such as standard contractual clauses (SCCs). The decision also introduced the obligation for a case-by-case assessment of SCCs to confirm that adequate protection is provided. The Court specified that the protection assessment must consider both the SCCs agreed between the EU data exporter and the data importer established in a third country, and any access by the public authorities of that third country, as well as the relevant aspects of its legal system. Recently the European Commission released its final Implementing Decision on standard SCCs for the transfer of personal data from the EU to “third countries” such as the US, based on which the new SCCs will repeal and replace the existing SCCs.
Considering the amounts of employee personal data that are being transferred from the EU to the US, often by large multinationals headquartered in the US with workforces in the EU, the implications of the Schrems II decision on employers are significant. Organizations need to continue identifying any data transfers that in the past would rely on the Privacy Shield and put alternative measures in place. Similarly, the European Commission finally adopted two adequacy decisions under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), which allows personal data to flow freely from the EU and the European Economic Area (EEA) to the UK. This means that no additional measures (including SCCs) need to be taken by UK organizations to continue to receive personal data from the EU and the EEA.
What lies ahead
Adaptations to data privacy and employment law have been commonplace since the beginning of the COVID-19 pandemic. With a future involving an expected mix of remote and in-office work, the role vaccinations play in that and processing employee data related to COVID-19, employers and employees will continue to be faced with change.