In the current sanitary crisis that faces Europe the last weeks, one can wonder if privacy and data protection shouldn’t take a step back in order to fight the virus.
The question is on on everyone’s lips and many Supervisory Authorities (SA) in the EU Member States as well as the European Data Protection Board (EDPB) have published recommendations regarding the processing of personal data in the current context[1].
Concerns were first raised by employers who needed to ensure the health and safety of their employees by implementing specific measures.
SAs of Belgium, Luxembourg, Italy, England, France stated that they would show some flexibility regarding processing of personal data.
ICO, the English SA, even goes further stating that it is understandable that responses to information rights might be delayed. And that companies that may need to prioritise other areas or adapt their usual approach during this extraordinary period will not be subject to regulatory actions[2].
However, SAs underline the necessity to respect article 5 of the GDPR and insists on the principles of proportionality and data minimization. Therefore, they ban intrusive measures such as systematic records of employee’s temperature and detailed questionnaires about behaviour and risks of infection.
Regarding the temperature checks of employees, the Belgian SA does not consider this as a processing of personal data without any recording of those data.
Employeers are advised to inform employees if an individual in the company has been infected by COVID-19, however, SAs recommend not to give details neither to communicate the identity of the person. EDPB allows to reveal the name of the employee(s) who contracted the virus in circumstances where it is necessary (e.g. in a preventive context) and if the national law allows it. In such situations the concerned employees shall be informed in advance and their dignity and integrity must be protected.
The president of “Il Garante per la protezione dei dati personali”, the Italian SA, was again reminding the 17th of March that specific measures could be applicable but should be limited in time and be proportionate.
Principle of transparency is also not to be forgotten here. The data subjects should receive transparent information regading the processing of its personal data, including the retention period and the purposes of the processing.
It is important to adopt adequate security measures and confidentiality policies ensuring that personal data and more over special categories of personal data are not disclosed to unauthorised parties.
Finally, measures implemented to manage the current emergency and the process of decision-making should be documented.[3]
Regarding the lawful basis, in most countries, the article 9.2.b “employment, social security and social protection” would apply. Employers have, indeed, the obligation to take reasonable steps to look after the health, safety and welfare of their staff.
However, regarding this point English, Belgian and Italian SAs underline that it is not up to the employer to evaluate the risks but to doctors, who will communicate the risk to the employer on the basis of article 9.2.b of GDPR.
Some SAs stated that the lawful basis for processing special categories of personal data foreseen in the article 9.2. i of the GDPR, “processing necessary for reasons of public interest in the area of public health”, would be applicable when companies act in respect of directives imposed by competent authorities[4].
The EDPB suggest as well that the vital interest could apply as lawful basis for processing data in this context especially provided that the recital 46 explicitly refers to the control of an epidemic.
The Belgian SA affirms, on the other hand, the legal basis of vital interest will not be systematically applicable in the context of COVID-19 at this stage[5].
The recent development of the situation raised other questions and suggestions of processing electronic communication data such as mobile location data. Here the EDPB, underlines that besides the GDPR other regulations should apply such as the ePrivacy Directive and its national implementations[6].
The Directive states that location data can be used by the operator when they are made anonymous, or with the consent of the individuals.
Consequently, the operators should first try to process those location data anonymously. Nevertheless, the article 15 of the Directive enables the member states to introduce legislative measures pursuing national security and public security. The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved.
Such an emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. The EDPB underlined more recently that “These measures must be in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Moreover, it is subject to the judicial control of the European Court of Justice and the European Court of Human Rights. In case of an emergency situation, it should also be strictly limited to the duration of the emergency at hand”[7].
In any cases, controllers should follow potential updates from governments, as additional local law requirements or guidance in relation to the processing of personal data may be adopted. In all countries, Supervisory Authorities agree to state that health prevention and protection of personal data are not opposing forces.
[1] https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-donn%C3%A9es-%C3%A0-caract%C3%A8re-personnel-sur-le-lieu-de-travail, https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles,
https://ico.org.uk/for-organisations/data-protection-and-coronavirus/,
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9292565
https://cnpd.public.lu/fr/actualites/national/2020/03/coronavirus.html, https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en,
https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/coronavirus-and-the-gdpr
[2] https://ico.org.uk/for-organisations/data-protection-and-coronavirus/,
[3] https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en,
[4] https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-donn%C3%A9es-%C3%A0-caract%C3%A8re-personnel-sur-le-lieu-de-travail, https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en
[5] https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-donn%C3%A9es-%C3%A0-caract%C3%A8re-personnel-sur-le-lieu-de-travail text published the 13th of March 2020.
[6] https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en,
[7]https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf