EU privacy and data protection in the age of the coronavirus
Genna Cabinet Sprl, Brussels
Privacy and data protection rules should not be an obstacle in the fight against the Covid-19 pandemic. Nevertheless, users’ safeguards should be upheld: this is the basic assumption that should guide national authorities currently facing the Covid-19 emergency, who are looking for technological instruments to make their actions more effective (such as access and treatment of citizens’ personal data, and the use of tracing applications).
We are currently hearing debates in which European rules on privacy and the protection of personal data weaken governments’ fight against epidemics. Consequently, there have been proposals to abandon many privacy measures and embrace foreign experiences, for example, the Chinese government are able to pervasively control the behaviour of citizens thanks to the power of tracking their physical movements and online activity. There is also some debate about applications being used successfully in other Asian countries, in particular Singapore, South Korea and Taiwan. The Israeli model is under observation too. All these cases differ in respect to their impact on individual rights of citizens and therefore require an ad hoc analysis to assess their potential tolerance.
As far as European Union is concerned, there is suspicion that complaints against EU privacy rules actually hide different types of flaws; most notably of which is the difficulty of rapidly adopting the necessary measures to deal with the seriousness of this pandemic.
In truth, current EU privacy and data protection rules, namely Directive 2002/58/EC (the ‘ePrivacy Directive’, amended by Directive 2009/136/EC) as well as Regulation 2016/679 (General Data Protection Regulation, GDPR) already allow for mechanisms or exceptions aimed at protecting national security, including public health.
As regards the GDPR, its Recital 16 excludes from its ambit of application ‘activities concerning national security’, where national security can be referred to exceptional public health emergencies such as pandemics. Furthermore, Articles 6 and 9 of the GDPR specify the legal grounds for exceptional national measures. Article 6(1) GDPR sets out the grounds for lawful processing, specifying that it can happen when:
‘(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’
Article 9 GDPR allows processing of sensitive data, including sanitary data, when given circumstances occur:
‘(g) processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.’
Article 15(1) of the e-privacy Directive also plays a useful role, which appears particularly relevant when national authorities may need to process individual location data, when the aggregated ones are not sufficient or suitable for tracing potentially contagious individuals. In such a case, the directive allows Member States to enact appropriate legislation empowering local authorities to track the movements of citizens:
‘(1) Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security [ie, Member State security], defence, public security’
Therefore, according to these rules, governments within the EU are authorised, on the basis of objective and non-arbitrary conditions, to take exceptional measures allowing national authorities, in particular health authorities, to have access to sensitive data, such as health data, as well as other useful data to protect public health. As these EU regulations should have been normally implemented within national legislative frameworks, there is no need to break current privacy rules to protect public health, as the possibility of adopting exceptional measures, limiting or sacrificing the privacy of citizens already exists.
However, it should be noted that while the current EU framework allows its Member States to take exceptional initiatives to protect public health, there are some guarantees given to counter-balance the limitation/sacrifice imposed on citizens’ rights. Such exceptional measures must therefore be necessary, appropriate and proportionate to the context of a democratic society. This means, in practical terms and having in mind a pandemic scenario, that they must be limited to the scope pursued and must be transitory: judicial review must also be possible.
Any collected data, for example data about citizens’ location, cannot be used for purposes other than that of protecting public health and, once the exceptional situation is over, such data must be destroyed. There should therefore be no fear that a government which has acquired data on ‘where I have been on that day’ for public health reasons, may then use this data for other purposes, unless there is already a different and appropriate legal basis. If this happens, citizens would have good legal instruments to defend themselves in court. In any case, such obligation has to fulfil the general requirements of necessity and proportionality – the latter especially requires a certain degree of limitation to the amount of data that may be disclosed, for example by limiting it to traffic/location data of the last two-to-three weeks, and only for people who have been in contact with an infected Covid-19 patient.
The European Data Protection Board (EDPB), which is the European forum that brings together all the European privacy authorities, released statements on this point respectively on 16 and 20 March 2020. The EDPB wanted to denounce the fact that ‘data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic, by stressing that the GDPR already provides for legal criteria allowing employers and relevant health authorities to process personal data in the context of epidemics, without the need to obtain consent from the interested party. Furthermore, EDPB wanted to stress the way Article 15 of the ePrivacy directive may allow Member States in implementing tracking technologies and apps.
In other words, an effective fight against epidemics does not require any definitive limitation or sacrifice in terms of protection of privacy and personal data. This limitation/sacrifice can take place, but it must be for a limited time, and cannot be abused by the Member State. Herein lies the difference between the EU, whose citizens are guaranteed rules confirm the foundations of the rule of law even in exceptional situations, from many other jurisdictions where the difference between routine and emergency could instead be very slight.