Throughout the world, the coronavirus pandemic is creating enormous challenges. While data protection is not the main concern, the European Data Protection Authorities (DPAs) made it clear that the European General Data Protection Regulation (GDPR) cannot be ignored because of the crisis situation. It is therefore important for businesses to understand how European DPAs are responding to the pandemic and how businesses can process personal data—in particular health data—in this context.
The current, preliminary response of DPAs, including the European Data Protection Board (EDPB), illustrates how vague the GDPR provisions are, leading to varying interpretations. It also illustrates the rigid nature of the GDPR, which renders any attempt to balance its provisions with the requirements of the fight against a pandemic inherently difficult.
How the Pandemic Affects the DPAs’ Work
The pandemic impacts the DPAs’ work in various ways.
- Limited Availability. Many DPAs across Europe are slowing down the pace as a result of containment measures. For example, the Polish DPA closed, although it can still be contacted online. In Bulgaria, access to the DPA’s office is restricted to parties to administrative proceedings who do not have remote access to files. The Czech DPA has recommended electronic and/or phone communications rather than on-site visits. The European Data Protection Supervisor (EDPS), who is responsible for ensuring that all EU institutions and bodies comply with data protection requirements, and the Dutch DPA are working remotely.
- Delayed Processes. The pandemic has prompted the EDPS to delay the publication of his five-year strategy until May. The EDPS recognized that COVID-19 is a game changer and announced that, in the next few weeks, he will share further reflections on the relationship and possible trade-offs between fundamental rights (including data protection) and safety. ENISA, the European Union Agency for Cybersecurity, also decided to postpone its exercises to test the cybersecurity, business continuity and crisis management capabilities of the healthcare industry. It is likely that more DPAs will need to postpone publications and findings in their investigations.
- Limited Resources. DPAs’ lack of resources is likely to impact their work. For example, not all administrative workplaces are ready for remote working. Yet DPAs are unlikely to get more funding in the context of the coronavirus pandemic, since EU countries will tend to prioritize more urgent needs.
The DPAs’ Response to the Pandemic
As of March 16, almost all DPAs had published guidelines in response to the spread of the virus. These national guidelines were often available in national languages only and created some confusion as they reflected varying standards of appreciation. For example, the UK DPA took the view that it is reasonable for employers to ask employees whether they are experiencing COVID-19 symptoms but employers should minimize the information collected and treat it with appropriate safeguards. The French and Danish DPAs indicated that employers cannot indiscriminately collect health data from their employees but can create a record of those taken ill. The Dutch DPA said that employers cannot record the nature of employees’ illness but can inquire as to how long they will be absent. The Italian and Luxembourg DPAs recommended that employers should avoid any “systematic and generalized” collection of health data and should instead rely on employees self-reporting any symptoms.
The European Data Protection Board Chimes In
The EDPB, which is responsible for ensuring the consistent application of the GDPR in the EU and cooperation between all DPAs, finally issued statements on March 16 and March 19 to share the DPAs’ coordinated approach to the crisis.
The EDPB made it clear that the GDPR does not hinder measures taken in the fight against the coronavirus pandemic but businesses are not exempt from complying with the GDPR. The core GDPR principles still apply, including the following.
- Purpose limitation and data minimization. Personal data that is necessary to meet the objectives pursued should be processed for specified and explicit purposes.
- Transparency. Individuals should receive transparent information in clear and plain language on businesses’ processing activities and their main features, including the retention period for collected data and the purposes of the processing.
- Security. Businesses must adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorized parties.
- Accountability. Businesses should document the measures they implement to manage the emergency and the underlying decision-making process.
The EDPB focused on (1) the processing of personal data in the context of employment and (2) the processing of telecommunications data by governments. A key issue is how to lawfully process individuals’ personal data. The EDPB’s position on adopting security measures is also important and is further developed below (3), although the EDPB’s statements did not elaborate on this.
- Processing Employees’ Personal Data
- Governments Processing Telecommunications Data
- Cybersecurity Issues
Businesses do not always need to seek their employees’ consent to process their personal data. They may process such data where doing so is necessary to comply with a legal obligation (e.g., obligations relating to health and safety) or in the public interest (e.g., the control of diseases).
Although health data is subject to stricter requirements, consent is not always necessary. According to the EDPB, businesses may process employees’ health data for reasons of substantial public interest in the area of public health on the basis of EU law or an EU country law (e.g., protecting against serious cross-border threats to health) or to protect an individual’s vital interest.
However, the EDPB omitted that businesses can rely on the necessity to protect vital interest only where an individual is incapable of giving consent. In the same vein, while highlighting that GDPR recitals refer to the control of an epidemic, the EDPB omitted that, pursuant to these recitals, the processing of personal data based on an individual’s vital interest should take place only where the processing cannot be manifestly based on another legal basis. It is unclear whether these omissions are meant to show that the EDPB is willing to interpret the law broadly.
The EDPB’s March 19 statement also addresses specific questions regarding the processing of employees’ health data, but it mainly provides that businesses should act in compliance with the national law of the European country they are subject to. A key takeaway, however, is the EDPB’s focus on proportionality and data minimization. For example, employers should inform staff about coronavirus cases and take protective measures, but they should not communicate more information than necessary. Where it is necessary to reveal infected employees’ names, provided that the national law of the relevant European country allows it, employees must be informed in advance and their dignity and integrity must be protected.
Some EU governments are starting to use mobile location data to fight the spread of the pandemic, e.g., in order to map the location and spread of the disease, assess the impact of governments’ measures to contain the virus, and provide targeted information in high-risk areas. For example, in northern Italy, where the situation is critical, a telecom operator produced a heat map based on a large set of anonymized data. In Belgium, several telecom operators agreed to share their databases to help public authorities fight the coronavirus pandemic. The Belgian DPA has approved the plan to form a task force under the direction of the telecom and health ministers that will analyze how to use the anonymized data. In Germany, a telecom operator provided anonymized customer telecom data to an agency responsible for disease control and prevention that will use the data to model the spread of the virus. Similar cooperation initiatives have been put in place in Austria.
The processing of telecommunications data, such as location data, is subject to the ePrivacy Directive. Location data can be used only when made anonymous or with consent of the individuals concerned. However, the ePrivacy Directive enables EU countries to introduce legislative measures to safeguard public security. Such exceptional legislation is possible only if it introduces necessary, appropriate and proportionate measures limited to the duration of the emergency. It will probably be challenging for governments to make sure they take into account all data protection aspects while drafting such emergency laws in a pandemic crisis.
Cybersecurity is also a critical concern as there is evidence that criminals are exploiting the coronavirus online. The risk is even higher with people moving to homeworking, and attacks are likely to increase if the pandemic intensifies. Examples of cyber attacks include fraudulent emails sent by criminals posing as the World Health Organization or coronavirus-themed phishing emails with infected attachments containing fictitious safety measures or links to malicious websites.
DPAs and cybersecurity centers in Europe are also reacting to this. For example, the UK National Cyber Security Centre urged businesses and the public to follow online safety advice. The Danish DPA published best practices for people working from home. The DPA recommends that employees use VPNs, avoid storing files locally and connect remotely to the company’s own servers.
The coronavirus crisis is challenging the way European DPAs work together and the credibility of the GDPR.
European DPAs reacted to the pandemic in a quite haphazard manner, but this reflects the EU’s reaction in general, which consisted of national responses instead of a coordinated European action. This affects the harmonized approach that businesses expected the GDPR to deliver.
The credibility of the GDPR is also at risk. On one hand, some may wonder why protection matters so much when so many lives are at risk. Who would take the GDPR seriously if it hindered the use of personal data in a pandemic? On the other hand, given that data protection is a fundamental right in the EU, what would it look like if it was completely abused in times of crises? In this light, flexibility and proportionality are probably two key words to keep in mind. The right to data protection is fundamental but not absolute. It has to be balanced with other EU fundamental rights, such as the right to life and healthcare. The right to data protection cannot be given up, but it has to face reality. This is a huge challenge, both for DPAs and for businesses.