CORONAVIRUS PROTECTION AND PRIVACY AT THE CROSSROADS: EMERGENCY GOVERNMENT ORDER WITH WIDE-RANGING AUTHORIZATION APPROVED BY ITALIAN DATA PROTECTION AUTHORITY – A(N IN)DELICATE BALANCE
Decree no. 630 adopted on February 3, 2020 as an urgent measure of combatting the spreading of the Coronavirus has been approved by the Italian Data Protection Authority. The decree confers wide-ranging authorizations of data treatment to the personnel of the Civil Protection, a government body responding directly to the President of the Council of ministers. Such data treatment may include the communication between the personnel and may regard the delicate aspects disciplined in Art. 9 and 10 GDPR regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation and also data relating to criminal convictions and offences or related security measures.
The legal framework
Due to the spreading of the Coronavirus, the Italian Council of ministers, on January 31, 2020 had declared a six-months emergency period. The Civil Protection, a structure based on a wide number of governmental, administrative, regional and local entities had developed a draft decree of first urgent measures with wide ranging authorizations restricting citizens civil liberties, at the same time providing exceptions and a lowering of the applicable standard of personal data protection. The decree was adopted following approval by the Italian Data Protection Authority. The only observation of the Data Protection Authority concerned the necessity to provide for measures guaranteeing that at the end of the six-month period, all administrations involved in the activities of the Civil Protection, would take appropriate measures to bring the processing of personal data carried out in the context of the emergency, into the ordinary competences and rules governing the processing of personal data. With the regard to the framework of European Union law it shall be noted that pursuant to art. 9 para 2 lit. i) GDPR the processing of some of the data referred to above may be necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. In these cases, the law shall provide for “suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”.
A delicate balance
The mentioned decree no. 630 of the Civil Protection of February 3, 2020 contains a referral to the general principles laid down by Art. 5 GDPR but does not contain specific measures to safeguard the rights and freedoms of the data subject. The latter aspect is of particular relevance as according to the newspaper ItaliaOggi, edition of February 25, 2020, the authorized data treatment vis à vis citizen suspected of infection would not be limited to traditional forms of data treatment but could include also analysis of mobile communication data and geo-localization in order to establish possible chains of contacts. Another aspect of concern regards the express authorization conferred to the Civil Protection to treat also data “relating to criminal convictions and offences or related security measures”. This possibility is not covered by the exception provided for under European Union law, namely art. 9 para 2 GDPR. Further amendments, prior to the end of the situation of emergency, which guarantee an adequate protection of involved data subjects appear necessary and inevitable.