By María Ángeles Hernández
Data Security Officer at Euroconsumers
According to the latest reporting, Israel has recently joined China and Iran in announcing that they will begin to make use of state-level data tracking tools in order to monitor the coronavirus epidemic. On 16th of March, Andrea Jelinek, the Chair of the European Data Protection Board (EDPB), made a statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB is an independent body whose purpose is to ensure the consistent application of the GDPR.
In the statement made by Jelinek, it was said that the EU’s data protection rules, such as the General Data Protection Regulation (GDPR), do not prevent taking measures in the fight against the coronavirus pandemic. However, the EPDB Chair does underline that, even in these exceptional times, data controllers must take into account a number of considerations when adopting measures involving the processing of personal data to fight the spread of COVID-19.
What does it mean for European consumers?
On one hand, the EDPB points out that the GDPR provides for the legal grounds to enable employers and competent public health authorities to process personal data without the consent of data subjects in the context of the coronavirus epidemic. This is the case when the processing of personal data is necessary for the employers "for reasons of public interest in the area of public health", or "to protect the vital interests of the data subject or of another natural person", or to comply "with a legal obligation to which the controller is subject" (Articles 6 and 9 of the GDPR).
With its statement, the EDPB wishes to remind us that, in a context such as the one relating to COVID-19, consent is not the only legal ground that can justify employers and public authorities being able to process personal data, including health data. However, it should not be forgotten that these activities must be done with safeguards in place and must always respect the principles relating to processing of personal data, especially the necessity and proportionality principles.
On the other hand, for the processing of electronic communication data (such as mobile location data), according to the national laws implementing the ePrivacy Directive, the location data can only be used by the operator when they are made anonymous (i.e. processing data aggregated in a way that it cannot be reversed to personal data), or with the consent of the individuals. Therefore, public authorities could generate reports on the concentration of mobile devices at a certain location, but the location data should be processed in an anonymous way as a first option.
Based on this, in principle, aggregated location data could be used to locate groups of people who are not respecting isolation rules. On the contrary, the use by the public authorities of mobile data to track citizens at risk of coming into contact with COVID-19, as Israel is planning to do, would negatively affect the privacy of citizens. Another example is Taiwan, where mobile location data is used to monitor the compliance with isolation rules by individuals.
However, according to the EDPB’S statement, when it is not possible to only process anonymous data, the ePrivacy Directive enables Member States to take legislative measures to ensure national and public security. In this case, it should be noted that the protection of public health could be considered one of the exceptions based on reasons of national and/or public security. But, if this emergency legislation is introduced, it must be necessary, appropriate and proportionate, and Member States are obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.
Consequently, if national governments want to use location data from smartphones to track citizens as a tool to slow the spread of the coronavirus outbreak, as suggested by the head of the Robert Koch Institute, Germany's leading public health body, they must introduce new laws. Moreover, any monitoring-based system should guarantee an acceptable level of data protection and be proportionate, that is, serving the intended purpose using the least intrusive method available, as Federal Data Protection Officer Ulrich Kelber told Reuters.
The publication of the EDPB statement follows similar publications from other European data protection authorities, including Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Hungary, Iceland, Ireland, Lichtenstein, Lithuania, Luxembourg, the Netherlands, Norway, Poland, Slovakia, Slovenia, Spain, Sweden, and the UK. These try to keep a balance between facilitating fast and secure data exchange to fight against the coronavirus pandemic and providing the necessary protection of fundamental rights that individuals expect.