The Processing of Personal Data in the Light of Pandemic Diseases
- Processing of personal data in the light of COVID-19;
- The European Data Protection Board on the processing of personal data in the context of COVID-19;
- COVID-19- Derogations in the case of Cross-Border Transfers; and
- The applicability of the principle of proportionality in pandemics.
Processing of personal data in the light of COVID-19
Amid the spread of pandemic diseases such as the current COVID-19 pandemic, data protection is not usually the first issue that comes to one’s mind. That being said, the COVID-19 outbreak has forced entities and organisations both in the private and public sector to deal (among other things) with the following circumstances in which an individual’s data protection rights may be prejudiced:
Employees are being requested to work from home (where possible) to avoid the risk of contagion and employers are monitoring employees working from home;
Employees are requested to report any risk factors, such as any flu symptoms, and disclose their travel plans to employers who are in turn in doubt as to how to treat such cases and their obligations in the light of public interest may require them to report that an employee is infected with COVID-19 to other employees;
Public health authorities may wish to use data to investigate new cases, treatments and to keep abreast of an individual’s health data and monitor the virus spread;
Authorities may impose ‘monitoring measures’ to enforce lockdown through the use of video cameras and tracking phones.
The European Data Protection Board on the processing of personal data in the context of COVID-19
In the light of the above, the European Data Protection Board (EDPB), has emphasised that data protection rules, with particular reference to the GDPR, do not hinder measures taken in the fight against the coronavirus pandemic.
However, even in these exceptional times, the data controller must ensure the protection of the personal data of individuals. Therefore, several considerations should be taken into account to guarantee the lawful processing of personal data.[i]
Indeed, the GDPR caters for such situations under Article 6 and 9. These articles provide the legal basis to enable entities, such as companies employing individuals or public health authorities, to process personal data in the context of pandemics.
In the case of processing of personal data and special category data, the EDPB has interpreted these articles as allowing the processing of personal data, without the need to obtain consent, when processing is necessary to comply with a legal obligation, for reasons of public health as would be the case where the intention is to control diseases and other threats to health or to guarantee health and safety at the workplace.
This being said, the EDPB has emphasised that an emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period. Hence even though the articles of the GDPR allow for such processing and despite this being an extraordinary situation, one should not go further than what would be usually permitted, ensuring that the principle of proportionality is always be observed.
Indeed, the GDPR puts weight on the ‘necessity to process’ such data, emphasising that processing must be essential for protecting the lives of people. Article 6(1)(d) states that processing is lawful if necessary to protect the vital interests of the data subject or of another natural person.
For special categories of data, Article 9(2)(c) similarly provides that processing is lawful where necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent.
Given that data shared is personal health data, then it may only be shared if such sharing of personal health data will result in a benefit to individuals who will have access to such data and will prevent the reach of COVID-19 and hence shared on the basis of ‘vital interest lawful basis’.
Processing on the basis of vital interest, especially in situations like these have been contemplated in the GDPR. Reference should be made to GDPR Recital 46, which states that the vital interest lawful basis may apply ‘for monitoring epidemics and their spread’:
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should, in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
COVID-19- Derogations in the case of Cross-Border Transfers
Notably, derogations are also possible in the case of cross-border transfers. GDPR Article 49(1)(f), allows for international transfer for the protection of vital interest, without the need for other mechanisms- adequacy decisions and standard contractual clauses, for instance. Article 49(1)(d) provides a ‘public interest’ derogation, and Recital 112 explains that member states' derogations in the public interest could include transfers made for reasons of “public health, for example in the case of contact tracing for contagious diseases...”.
The applicability of the principle of proportionality in pandemics
Thus, from the interpretation of the relevant articles of the GDPR, it is clear that even in such extraordinary situations, the principle of proportionality applies. Entities, whether employers or public authorities, must ensure that appropriate measures are taken to strike a balance between the protection of personal data and the disclosure of data.
The least invasive measure should be sought- if that authority would resort to a ‘tracking system’, this should be subject to the necessary safeguards, such as ensuring that only the required data is retained for a pre-established period. Using the less intrusive method, also means that the public authorities should endeavour to process location data anonymously, such as through an aggregated form and in a way that individuals cannot be identified. This occurs when Governments use mobile location data to extenuate the spread of COVID-19.
On the other hand, employers have the right to obtain personal information about employees, solely to organise the work, workspace and working conditions, taking protective measures vis-a-vis other employees in a pandemic situation. Additionally, data subjects should receive transparent information on the processing activities being carried out. The controllers being employers, should in the public interest communicate with the other staff in relation to COVID- 19 cases, however, should not communicate more than necessary, thus always ensuring that they are also safeguarding the rights of the data subject and acting in line with the principle of proportionality.
[i] (Andrea Jelinek, Chair of the European Data Protection Board (EDPB), Statement on the processing of personal data in the context of the COVID-19 outbreak. Adopted on 19 March 2020)