In these uncertain times, we are all concerned about the global pandemic state and everything else falls into the background. However, the Corona pandemic will affect all segments of our lives, and the same applies to our privacy.
Currently, there are over 240,000 registered cases (click the link to refresh the numbers) of Coronavirus infection worldwide. However, China, the origin place of COVID-19, is slowly waking up from quarantine showing a significant decline in the number of infected with almost 70,000 recovered patients and decreasing number of new cases.
As reported in the World Health Organization assessment, the Chinese government took unprecedented rigorous measures to prevent the virus from spreading – “New technologies were applied such as the use of big data and artificial intelligence (AI) to strengthen contact tracing and the management of priority populations.”
According to the Gabriel Leung, Dean of the Li Ka Shing Faculty of Medicine at the University of Hong Kong statement for the Science:
“Two widely used mobile phone apps, AliPay and WeChat—which in recent years have replaced cash in China—helped enforce the restrictions, because they allow the government to keep track of people’s movements and even stop people with confirmed infections from traveling. […]Color codes on mobile phones—in which green, yellow, or red designate a person’s health status—let guards at train stations and other checkpoints know who to let through.”
So you might be thinking, can this kind of supervision by authorities happen to you and is it justifiable?
When it comes to personal data processing, there is a big difference in your geographical location. For example, China, the European Union, and the USA have different legislation governing processing personal data of their citizens.
The European Union has put an emphasis on the protection of fundamental human rights and freedoms that is also applicable to personal data processing, which is not necessarily the case with other countries.
Governments, public institutions, and private organizations throughout Europe are taking measures to contain and mitigate COVID-19, which inevitably involves the processing of different types of personal data.
Processing personal data due to Coronavirus in the EU
If you are watching the news and are informed about details regarding Coronavirus, you might have come across sensitive personal information about patients and their family members.
The information can include the movement of patients and details about their previous and current health status.
Even if the names of patients are not directly disclosed, in some cases, it might be possible to identify the individual indirectly, so it is not irrational to question if their rights have been violated.
Is data processing lawful in the case of the Coronavirus pandemic?
Although the General Data Protection Regulation (GDPR) protects a whole array of rights regarding the processing of personal data of EU citizens and residents, it also predicts situations in which such rights can be restricted, just like this Corona pandemic.
It is important to note is that those restrictions need to be done with respect to the essence of the fundamental rights and freedoms of an individual and is a necessary and proportionate measure in a democratic society, as stated in the GDPR Article 23.
This means processing can be done in an emergency situation or for other important objectives of general public interest, such as public health. We can all agree that containing Coronavirus pandemic classifies as such.
The lawful basis for processing, can be the protection of vital interests when processing is necessary to protect someone’s life and freedoms or public task.
The protection of vital interests is supposed to be used only in a specific situation where no other lawful basis is applicable and used as a last resort. Meaning, there is no need to obtain consent from the individual.
The public task can be an appropriate legal base if the processing is necessary for performing a task in the public interest. This is applicable for public authorities in order for them to execute their services, and are authorized to do so by the EU or national law.
Is personal data processing in the case of Coronavirus ethical?
It is important to note that processing that has a foothold in the law does not automatically mean it is right from the ethical perspective.
Fundamental human rights, although protected, can be restricted in certain circumstances, such as Coronavirus. Your rights may have to be restricted to protect other people’s rights or the rights of the community.
Therefore, the DPIA (Data Protection Impact Assessment) needs to be done prior to the processing, to determine all consequences and evaluate an activity that is specifically related to the processing of personal data.
A Data Protection Impact Assessment is a process that identifies and minimizes risks related to personal data processing. Organizations usually conduct a DPIA once they engage in a new data processing activity.
Under the GDPR, DPIA is a legal requirement if a data controller envisages a processing activity that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR, Article 35).
Such processing and disclosing of personal information is done with a greater good in mind. It is a mutual obligation to protect each other and society from a serious threat.
At all times, public health officials should keep in mind, that information disclosed needs to be done in respect of the patient and in the minimum amount to achieve public health goals.
Important thing is to strike the balance between social responsibility and ethical responsibility.
What is the obligation of the employer during the COVID-19?
Public institutions and organizations are not the only one processing personal data of individuals. Organizations in the private sector are also processing sensitive personal information due to Coronavirus.
As an employer, you have an obligation to protect your employees and therefore, you are allowed to take certain measures.
For instance, asking your employees about having symptoms or if they have recently traveled to one of the countries that are considered the center of the Coronavirus outbreak.
However, you should not disclose or collect more information then it is necessary. Restrict the access to that information to essential personnel and apply appropriate safeguards.
Make sure you are compliant with Article 5, regarding the GDPR principles relating to processing of personal data.
This is just a high-level overview. Since not all EU countries are affected the same, the allowed measures can differentiate. Make sure you check out your national Data Protection Authority website for more guidelines. DPA like British ICO or Belgian APD has issued their valuable guidelines.
You can check statements by other EEA regulators: Czech Republic, Finland, Denmark, France, Germany, Hungary, Iceland, Ireland, Lichtenstein, Lithuania, Luxembourg, the Netherlands, Norway, Slovakia, Slovenia, Spain, Sweden, and Poland
EU guidelines on the processing of personal data in the case of COVID-19
In response to the Coronavirus outbreak, the European Data Protection Board has issued a statement on the processing of personal data in the context of the COVID-19. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), stated:
“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
This means we are not automatically put into the Madmax scenario of societal collapse, the processing still has to be done in accordance with the GDPR and data subjects rights should always be respected.
If the national law has implemented the ePrivacy Directive, if possible, the location data should only be used when the data is anonymous or with proper consent. If this is not possible, Article 15 of the ePrivacy Directive enables the Member States to introduce legislative measures pursuing national security and public security.
Why is processing personal data important in containing COVID-19
In order to measure the pandemic, information on health status and chronic illnesses has to be collected and the movement of all those with whom they have been contacted has to be monitored.
Extreme measures applied are justified if they help combat the global pandemic, and from a privacy perspective, monitoring people and collecting medical information is indeed an extreme measure.
Not much can be done without proper data. There are still facts about the virus that doctors and scientists have not yet figured out, and their access to data can give better insight into how the virus is behaving and change the course and progress of the outbreak.
In order for public health experts to understand the spread of the virus, or how it affects someone’s health, it sometimes requires them to process and/or disclose personal information about the patients to alert the public.
The World Health Organization has commended the remarkable speed with which Chinese scientists and public health experts isolated the causative virus, established diagnostic tools, and determined key transmission parameters, gaining invaluable time for the response.
China is already working on rebooting its economy, reopening its schools and returning to a normal life, even as it works to contain the remaining chains of COVID-19 transmission.
The non-pharmaceutical measures combined with public health measures interrupted the chains of human-to-human transmission, and we are hoping that the EU lockdown will have the same effect.
Hopefully, processing of our personal information and monitoring our movements can help contain the pandemic and assist scientists in developing the vaccine and understand the virus better.
However, processing should never be excessive, we should never lose focus on why the processing is conducted, and as soon as the threat diminishes, the processing should cease.