Given the recent developments of the COVID-19, both public and private organisations in Europe are implementing stricter measures to try to contain the pandemic. Many of these measures might involve processing of personal data as governments seek to accurately understand the health and location data of their citizens. A clear example of this comes from another continent. The South Korean government has been effective in controlling the virus through strict testing and quarantine measures. South Korea did not waste any time in testing thousands and thousands of asymptomatic citizens who would then have their data logged into a tracking app (Corona100m) that served the purpose to inform other healthy citizens of where those who tested positive were within a distance of 100 metres (The Guardian). It is only natural then to ask what type of measures will be implemented in Europe.
Statement Europan Data Protection Board
The European Data Protection Board Chair Dr Andrea Jelinek has released a statement covering this particular issue (EDPB.EUROPA.EU). In a context such as the one provided by the COVID-19 pandemic, the very broad legislation that is the GDPR offers the necessary rules to be applied to the processing of personal data. In fact, in an epidemic context, there is no need for the authorities to obtain the consent of the data subject to process their personal data. For instance, Art.6 and 9 of the GDPR allow for the processing of personal data for reasons of public health, public interest, to protect vital interests and to comply with other legal obligations.
Data of electric communication
The processing of electronic communication data is also an issue very much linked to the COVID-19 pandemic. In her statement in fact, Dr Andrea Jelinek, touched upon the national laws implementing the ePrivacy Directive (EDPB.EUROPA.EU). These laws allow for the principle that the location data can only be used by the operator when they are made anonymous or with the specific consent of the individual. However, Art.15 of the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security. These exceptional legislations must strictly be in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Answers on questions an concerns
It is clear then that in exceptional circumstances, such as what the COVID-19 pandemic has presented us with, there are legal grounds that allow for an otherwise not possible processing of personal data. Naturally however, any type of government surveillance programme will spark debates on how the data will be used and whether people’s privacy will be put aside. Moreover, the data being processed might not only be available to public authorities but could also be exposed to private companies. Exposing data to private companies will undoubtedly be a reason for concern given their great commercial value. The World Economic Forum (WEFORUM) has touched upon this issue. It is clear that several concerns and questions are arising from the COVID-19 pandemic and its impact on people’s privacy. These questions will need to be answered as soon as possible as they will be a great cause for debate after the coronavirus will have finally been defeated.
The views expressed in this blog are those of the authors and not necessarily those of EIPA.
