The right to privacy may be a fundamental human right but it is not absolute. In cases of pandemic diseases such as the current COVID-19 pandemic, the safeguarding of such right will face limitations due to concerns of public health and safety. In turn, this brings about the question of how far can the privacy rights of those people affected by the virus and the rights of those who have been placed in quarantine be limited for the public interest?
What does the GDPR say?
The EU General Data Protection Regulation (‘GDPR’) allows for the limitation of the rights of the data subject in times of calamity, where in day-to-day life such limitations may not be acceptable.
Pursuant to article 6 of the GDPR, processing of data without the consent of the data subject may be allowed on the basis that the processing of such data is necessary in order to protect the vital interests of the data subject or of another natural person and that processing is necessary for the performance of a task carried out in the public interest. In such cases, any type of data may be captured whether data relating to health, travel or family relations. It is true that such data, except perhaps for health-related data, is made freely available by many data subjects on their social media platforms, nevertheless processing of such data cannot normally take place simply because the data is available in the public domain.
The GDPR categorizes data relating to physical or mental health or condition or sexual life of a data subject as special (sensitive) categories of personal data and usually limits the manner in which special categories of personal data can be processed. Nevertheless, article 9 of the GDPR allows for the processing of these special categories of data if that processing is necessary for reasons of public interest vis-à-vis public health, including to manage transmissible diseases such as COVID-19. Moreover, leeway is afforded in cases where the processing of such data is necessary for scientific research and statistical purposes, as well as in cases where such data is necessary for medical purposes. In such cases one should also consider the extent to which such sensitive data will continue to be processed in the future, if and when the disease is managed.
Moreover, as clarified in a statement issued by the European Data Protection Board on the 16th March 2020, where the data to be processed is electronic data, such as mobile location data, additional rules apply over and above what is provided in the GDPR and public authorities should aim to process location data in an anonymous way.
A cursory look at the approach taken by certain Member States
In Italy, extensive powers have been given to civil protection personnel for the purpose of processing personal data related to the COVID-19 outbreak. Civil Protection Ordinance No.630 lifts restrictions on the sharing of special categories of personal data necessary for civil protection functions.
The Ordinance seems to be silent on the manner in which such data will be processed and for how long such data will be stored. On the other hand, the neighbouring French authorities have taken a steadfast approach to protecting data subjects’ rights.
In a notice of Les Agences Régionales de Santé (‘ARS’), the ARS set out a list of criteria which must be adhered to by health authorities, businesses and individuals to remain GDPR compliant. The transmission of data is only permitted to partners involved in the control, prevention or evaluation of the epidemic and the rights of the data subjects as conferred by the GDPR, shall remain.
The ARS is guided by the generic data protection principle of data minimisation as provided for in the GDPR allowing the processing of such data as necessary for the control, prevention and evaluation of the pandemic. Moreover, the prolongation of excessive storage of data is prohibited. Such sensitive data may only be preserved for the duration of the investigation and thereafter, anonymised data should only be held for a maximum of one year after the finalisation of such investigation.
Over and above what is allowed under the GDPR, German law contains several data processing authorisations for local state and national health departments and agencies, to be allowed to process data for health purposes. Doctors may even be obliged to extensively report their findings to such agencies, whilst maintaining the integrity of such data by specific security measures.
On the 13th of March 2020, the Belgian Data Protection Authority issued guidance on processing of health-related data by employers.
In terms of the guidance, employers may not rely on the exceptions pursuant to the GDPR which allow for the processing of health data, unless the Belgian authorities specifically issue instructions which consequently allow for such processing, this also in view of the existing spread of COVID-19 in Belgium.
Moreover, where personal data is collected for the purpose of stopping the COVID-19 spread, such data must be collected in line with the principles set out under article 5 of the GDPR, including in a lawful, fair and transparent manner.
The guidance specifies that in practice employers may not assess nor communicate the risks presented by ill employees to other employees. Neither can employers carry systematic and generalized checks on their employees (such as temperature checks) and it is only occupational physicians who can monitor employees presumed sick from COVID-19. Upon diagnosis, the employer cannot reveal the identity of the employee in question and any necessary communication to other employees must be done at the utmost protection of the sick employee.
Finally, an employer cannot force employees to fill in questionnaires revealing recent trips nor can employers go beyond the current frameworks of existing labour laws when asking questions to employees regarding family and friends.
In terms of the Maltese Data Protection Act (Chapter 586 of the Laws of Malta), under normal circumstances, a data controller, before proceeding with the processing of special categories of data on the basis of public interest, must obtain authorisation from the Information and Data Protection Commissioner.
There has been no communication as of yet issued by the Commissioner as to the safeguards to be adopted by the health authority and law enforcement nor as to the level on which one may rely on legitimate interests.
Will the law impede public health interests?
Adhering to the law, should not be viewed as an obstacle to the protection of public health. Instead, it should be viewed as the foundation of the policies issued by national authorities. Nonetheless, some form of flexibility is crucial in such a time of crisis and such is permissible by data protection law in matters of public interest.
In conclusion, it should be highlighted that in the same statement of the 16th of March 2020, the European Data Protection Board said: Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
Article written by Senior Associate Dr Terence Cassar, Associate Dr Bernice Saliba and Legal Trainee Ms. Emma-Marie Sammut.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.