The European Data Protection Board (EDPB) released a statement in relation to data protection rules in the circumstances where Member States are putting emergency measures in place to combat the spread of COVID-19. With many more people working from home and with the increasing use of social media to stay connected with friends and family members lawful processing of personal data should be guaranteed.
The below should be read in the circumstances where Member States are dealing with an emergency. Any derogations or statutory instruments implemented by national governments which may restrict personal data freedoms inherent in the GDPR and related Directives should be proportionate and limited in time to the emergency period.
Recital 46 of the GDPR states, “Some types of processing may serve both important grounds of public interest … for instance when processing is necessary for … for monitoring epidemics and their spread.”
Some Member States have put measures in place that waive the lawful ways data can be processed as set out in the GDPR including Italy which has mandated that people of a certain transmission risk notify health authorities. Notwithstanding the unprecedented crisis being faced by governments, the EDPB has stated that any such measures are proportionate and limited in time.
There are two areas which the EDPB single out as being potentially problematic. In the employment context, and in normal times, employers are obliged to process data for the purposes when paying salaries and for tax purposes. Further processing may be agreed between the employer and employee within the employment contract. Processing of personal data may also be lawful in matters relating to the health and safety of workers or, in the public interest, in the control of diseases and threats to health.
The EDPB reiterate the need for employers to rely on the principals as set out in the GDPR when processing personal data. The data should be processed in a transparent manner and should be fully documented especially when undertaken in an emergency. Data minimisation is key, and the employer should only require health information to the extent that national law allows it. In the circumstances where the employer is aware of the COVID-19 status of his employee, this information should only be communicated to colleagues where the national law allows it. The affected employee will be informed in advance of any disclosure and their dignity and integrity shall be protected throughout.
Use of mobile location data
The ePrivacy Directive (Directive 2002/58/EC) is the relevant piece of law when considering the use of data obtained in the use of mobile telephones and similar devices. It should be noted that personal data protection rules do not apply to data which has been appropriately anonymised. Significant research has concluded that anonymisation may be reversed and data subjects subsequently identified. Israel has mandated that the telecom data of at-risk individuals may be used to track their movement. France has recently authorised a blanket use of telecom infrastructure to broadcast health advice into the phones of all French citizens. It is the position of the EDPB that the use of telecoms data may be “considered proportional under exception circumstances” but should be undertaken utilising the least-intrusive solution. It is understood that citizens may be geolocated or specific messages sent to those located in specific areas.
In Ireland, the Irish Times reported recently that the Health Service Executive (HSE) has said that it is likely that a smartphone app will be rolled out in the coming days. Utilising Bluetooth technology this app will be used as a tool to identify and isolate new outbreaks. Any new ammunition developed to fight COVID-19 is to be welcomed however adequate and appropriate privacy controls, such as limitation of storage and decentralisation must be built in at the design and development phase. This is especially true when the trust and co-operation of the population is so essential.
If measures allowing for the processing of non-anonymised location data are introduced, a Member State must build in adequate safeguards and one of the solutions discussed by the EDPB is the availability of judicial remedy.
While it is understood that ‘desperate times call for desperate measures’ we must be mindful that right over our personal data built up over time are not diluted in times of crisis. The right approach must lie in finding a balanced middle ground which does not ignore essential privacy principles.
If you are concerned with how your personal data is being used or you have been affected by any of the issues discussed above contact David Whelan at email@example.com