The European data protection authorities intervene about corona-virus

Schermata 2020-03-16 alle 19.09.41

Among the nonsense that we hear these days in the fight against Covid19, there is the one whereby current European rules on privacy and protection of personal data would weaken governments’ fight against epidemics. Someone proposes to get rid of these useless frills and embrace foreign experiences, for example the Chinese one, where the government is able to pervasively control the behavior of citizens thanks to the power to track their physical movements and online activities. But we also talk about applications successfully used in other Asian countries, in particular South Korea and Singapore. The Israeli model is also under observation. However, these are all very different cases, where the compression of privacy took place in different ways and which would require an ad hoc analysis to assess their potential illiberality.

However, as regards Europe is concerned, there might be a suspicion that the complaint against privacy actually hides different types of flaws, that is, the difficulty of rapidly adopting the necessary measures to deal with the seriousness of the pandemic.

In the truth, current European privacy and data protection rules (namely the E-privacy directive* and the GDPR regulation**) already allow for exceptions regarding national security, including public health.

As regards the GDPR, its recital no. 16 excludes from its ambit of application “activities concerning national security“, where national security can be well referred to exceptional public health emergencies like a pandemics. Furthermore, arts. 6 and 9 of the GDPR specify the legal grounds for exceptional national measures.

Art. 6(1) GDPR lays down the grounds for lawful processing, specifying that it can happen when: “(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller“. 

Art. 9 GDPR allows processing of sensitive data (including sanitary data) when given circumstances occur: ” (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy“.

A useful role is played also by art. 15(1) of the e-privacy Directive, which appears particularly relevant when authorities need to process individual location data, when the aggregated ones are not sufficient or suitable for tracing individuals potentially contagious: “1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic societyto safeguard national security (i.e. State security), defence, public security….“.

Thus, According to these above rules, European governments are therefore authorized, on the basis of objective and non-arbitrary conditions, to take exceptional measures allowing national authorities, in particular health authorities, to have access to sensitive data, such as health data, as well as other useful data to protect public health. These European principles should have been normally implemented in national legislative framework. Therefore there is no need to break a privacy rule to protect public health, since the possibility of adopting exceptional measures, limiting or sacrificing the privacy of citizens (in the terms specified below), already exists.

This may mean that we already had a “Chinese” system at home and we hadn’t even noticed it? Not exactly. I don’t know enough about the Chinese model to judge it, but as far as Europe is concerned, it must be said that European framework allows Member States to take exceptional initiatives to protect public health provided that some guarantees are granted too counter-balance the limitation/sacrifice imposed upon citizens’ rights. Such exceptional measures must therefore be necessary, appropriate and proportionate to the context of a democratic society, which means – in practical terms and having in mind a pandemics scenario – that they must be limited to the scope pursued, and they must be transitory. Judicial review must be possible.

It follows from the above that any collected data, for example those on location, cannot be used for purposes other than that of protecting public health and, once the exceptional situation is exhausted, they must be destroyed. There should therefore be no fear that a government, once acquired the data about “where I have been that day” for public health reasons, may then use the same data for different purposes (unless it already has a different and appropriate legal basis to do it). If this happens, the citizen would have good legal instruments to defend himself in court. In any case, such obligation has to fulfil the general requirements of necessity and proportionality whereas especially the latter requires a certain degree of limitation to the amount of data that may be disclosed, e.g. by limiting it to traffic/location data of the past 2-3 weeks and only of people that have been in contact with an infected COVID-19 patient.

The European Data Protection Board (EDPB)***, the European forum that brings together all the European privacy authorities, just intervened on this point. The EDPB wanted to stigmatize the fact that “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic” by stressing that the GDPR already provides for the legal criteria that allow employers and to competent health authorities to process personal data in the context of epidemics, without the need to obtain the (famous) consent of the interested party.

In other words, an effective fight against epidemics does not require any definitive limitation or sacrifice in terms of protection of privacy and personal data. This limitation/sacrifice can take place, but it must be limited in time and cannot be abused by the State. Herein lies the difference between the European Union, whose citizens are guaranteed by rules confirm the foundations of the rule of law even in exceptional situations, from other countries where the difference between routine and emergency could instead be very slight.

* Directive 2009/136/EC which came into force in May 2011, concerns the processing of personal data and the protection of privacy in the electronic communications sector. It is usually referred to as the “E-privacy Directive” and is an amendment of Directive 2002/58/EC.

** General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

*** The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Economic Area (EEA), and promotes cooperation between the EEA’s data protection authorities.

Categories: GDPR, Privacy

3 replies »

  1. Thanks. I’m still wondering what happened to the cell location data, data retention for which was infamously raised to 6 years in Italy by a law on elevators. How sure can we be that the authorities don’t regularly have a nearly complete access to these, via a channel or another, as in the USA (although probably with a less brazen profiteering scheme)?

    I suspect that the suspension of the privacy restrictions in Italy was made only to authorise after the fact something that has already been ongoing for a while, because they feared word would get out of it. A bit like the “trojan di stato” allowing prosecutors to infect people with malware, backdoors etc. à la NSO Group, Exodus etc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s