PROCESSING OF PERSONAL DATA IN THE CONTEXT OF COMBATTING COVID-19: THE STATEMENTS ADOPTED BY THE EUROPEAN DATA PROTECTION BOARD AND THE EUROPEAN DATA PROTECTION SUPERVISOR ON 16th AND 20th MARCH 2020.
On 16th March 2020, the European Data Protection Board underlined that the data controller and processor must ensure the protection of the personal data even in these exceptional times. Nevertheless, the protection of personal data is a controversial issue due to the increasing demand from public authorities and private entities for tighter surveillance measures.
Governments, public and private organizations throughout Europe are taking measures to contain and mitigate the effects of COVID-19. This can involve the processing of different types of personal data. There is no doubt that an effective epidemic management is also based on the collection and analysis of health data (and not only). However, such measures may raise privacy concerns both under the European Data Protection Regulation (hereinafter: GDPR) and under national legislation. Furthermore, these measures are part of a wider context of strong limitation of fundamental rights of the individual, ranging from the freedom of movement, to social rights, to the right of pursuing its own economic activity and thus be able to support oneself and one’s family. Said limitations have not given rise to many critical voices. On the contrary, it has been argued that these measures are compatible with our Constitution, since the right to health would prevail over all other rights that are temporarily compressed, with the only exception of the rights of regarding the respect for the dignity of human beings and the prohibition of unfair discriminatory measures. Also the right to privacy should therefore be considered within a balance of interests: it has to be asked whether it is preferable to have a general stop of all activities, with citizens confined to their homes, or rather a contagion control system that allows movement wherever possible, also using the most advanced technology, and using privacy regulations as a tool to ensure that the control mechanisms are adequate, proportional and strictly limited to the minimum necessary. To do this, it is also necessary to restore the efficiency of the judicial system, which is the only safeguard against abuse, as soon as possible. Clearly, in circumstances in which the courts are paralyzed, no kind of limitations, whatever they may be (including privacy limitation) can give citizens confidence regarding the respect of their rights.
Effective measures to reduce the spread of covid-19 vs fundamental rights
The balance between effective measures against Covid-19 and the respect of fundamental rights – including the right to privacy – is of key importance, also considering that an important role to reduce the spread of the virus will be played by technology. Indeed, some countries are managing the current pandemic through massive use of apps and software with more or less invasive privacy implications. For example, the app that informs of the presence of infected people within 100 meters of the user’s location; or rather, the app that tracks the movements of infected people in order to reconstruct their entire network of contacts and illustrate their movements. Nowadays, in the name of the emergency and fight against the virus, control proposals have been made, which are exceptional compared to our traditional system of shared values and legal principles. These proposals for the massive digital tracking of citizens are based on the idea that increased surveillance can lead to a more effective fight against the virus. In this context, the European legislation on the protection of personal data has been criticized as considered to be an obstacle to the adoption of measures that could reduce the spread of the virus.
In this regard, on 16th March 2020, the European Data Protection Board (hereinafter: EDPB) published a statement in which, besides specifying that the GDPR rules do not hinder measures taken in the fight against the coronavirus pandemic, it reiterates the importance of protecting personal data even in an emergency context. In this regard, Andrea Jelinek, Chair of the EDPB, stressed that “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
(the full statement is available here:
https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak). The same content was highlighted in the statement of 19th March in which the EDPB specified the requirements of a lawful processing of personal data in the current emergency context (https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf).
Processing of personal data in the European legislative framework
The EDPB statement recalls the provisions of the GDPR which indicate the specific cases in which the processing of personal data is allowed. In particular:
– Article 6 of the GDPR, which allows the processing of personal data without the consent of the data controller when it is necessary in order to protect the vital interest of the data subject or of another natural person, or when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– Article 9 of the GDPR, which allows the processing of particular categories of personal data, such as health information, without the consent of the data subject, for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
On the other hand, with regard to the processing of telecom data, such as location data, Directive 2002/58/EC (the so-called ePrivacy Directive) is mentioned, which allows the use of an individual’s location data only if made anonymous or with the consent of the data subject. The EDPB stressed that under Article 15 of that directive, Member States may adopt legislative provisions restricting the rights and obligations contained in the directive if such restriction constitutes a necessary, appropriate and proportionate measure to safeguard national security and public safety.
The effective protection of personal data in the context of the measures taken by Member States to fight against COVID-19 appears to be confused and fragmented: some countries have adopted a more permissive approach to controls (i.e. Denmark, Ireland, Poland, Spain), others more restrictive (i.e. France, Luxembourg, the Netherlands, Belgium).
The EDPB’s recent statement recalls European privacy legislation in a context where citizens cannot effectively exercise their rights due to the lockdown of entire countries. The very rule quoted by the EDPB to protect telecommunication data (i.e. Article 15 ePrivacy Directive) specifies that in the exceptional cases described above, the Member State is obliged to put in place adequate safeguards, such as guaranteeing individuals the right and access to judicial remedy. But is access to justice really guaranteed in this emergency context? Or rather Article 15 of the ePrivacy Directive will be applied without the necessary safeguards?
A more decisive statement from the EDPB would have been necessary, reminding the Member States of the importance of not ignoring the application of the essential principles of privacy, even in an emergency context like the present one. In this regard, the recent statement by the Italian data protection Supervisor (hereinafter: IDPS) of last 2nd March is noteworthy. The IDPS affirmed that autonomous initiatives concerning the collection of health data of users and workers that have not been provided by the law or ordered by the competent bodies are not allowed (the full statement of the Italian data protection Supervisor is available here: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9282117).
A clear declaration supporting fundamental rights has not been adopted either by the European Data Protection Supervisor (hereinafter: EDPS). In its statement of last 20th March, the EDPS indicated COVID-19 as the game changer of the current context. Indeed, the EDPS has announced a new strategy for the next five years that will include a review of the current EDPS strategy: “We will all be confronted with this game changer in one way or another. And we will all ask ourselves whether we are ready to sacrifice our fundamental rights in order to feel better and to be more secure”(https://edps.europa.eu/press-publications/press-news/blog/moment-you-realise-world-has-changed-re-thinking-edps-strategy_en).
Simona Lavagnini, Camilla Macrì