The coronavirus disease (COVID-19) outbreak has infected more than 300,000 people (March 25, 2020) all round the world. Its spread has also left businesses counting costs and people losing jobs. The economic implications affected nearly all industries from Customer Service to Operations.
The outbreak also significantly affected the data protection field. Therefore, the Data Protection authorities from around the world are stepping up actively in order to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus.
On March 19, 2020, the European Data Protection Board (EDPB) adopted a «Statement on the processing of personal data in the context of the COVID-19 outbreak». The statement emphasized that while data protection rules, including the European Union’s General Data Protection Regulation (“GDPR”) should not “hinder measures taken in the fight” against COVID-19, data controllers and processors must ensure, “even in these exceptional times,” the protection of individuals’ personal data. The EDPB specifically explained that all measure taken in this context should be in compliance with the general principles of law, and that “emergency is a legal condition which may legitimize restrictions to freedom provided these restrictions are proportionate and limited to the emergency period.
Additionally, the EDPB named once again the core data privacy principles to be abided by the data controllers and processors. Among those principles are the ones stating that individuals should receive transparent information on processing activities, including related purposes for processing and retention periods and that company’s must adopt adequate security measures and confidentiality policies, as well as document measures implemented and underlying decision-making processes to manage the current emergency.
With regard to the legal basis for processing personal data, the EDPB explained that the GDPR provides legal grounds for employers and competent public health authorities to process data in the context of an epidemic in accordance with national legislation and in accordance with the conditions set therein. In the context of employment, processing may be necessary for the compliance with a [national] legal obligation to which the employer is subject (such as obligations relating to health and safety at the workplace), or in the public interest, such as the control of illness and other health threats. The EDPB also stressed that exceptions to the medical data processing prohibitions can be made available to companies “where it is necessary for reasons of substantial public interest in the area of public health”or “where there is a need to protect the vital interests of the individual.” However, although the EDPB was able to provide some clarifications to the most important question, many practitioners criticise that no specific recommendations were provided but rather a repetition of the general principles stated in the General Data Protection Regulation (GDPR).
In the absence of specific recommendations from the EDPB, the Data Protection Authorities (DPAs) of the EU Member States started taking active measures themselves. The German Federal Commissioner for Data Protection and Freedom of information (Der Bundesbeautragte für Datenschutz und die Informationsfreiheit – BfDI) was not an exception and provided information on data protection and the coronavirus.
The Data Protection Conference (Datenschutzkonferenz - DSK), the body of the independent German Data Protection Supervisory Authorities of the Federal and State Governments, published information for employers and employees on how to deal with data protection in connection with the corona pandemic. The data protection experts made it clear that the protection of personal data and measures to combat the infection should not and do not conflict with each other.
In addition, the Federal Commissioner for Data Protection and Freedom of Information, Professor Ulrich Kelber, stated that information about health is very sensitive data. Anyone who collects or processes such data must be aware of the special responsibility coming with this kind of data. As long as the measures taken by employers and employees are proportionate, data protection does not hinder infection control since the health of citizens is now the priority. He also noted that data can be collected and used in accordance with data protection laws in order to fight the corona pandemic or to protect employees. For example, employees' personal data can be collected in order to prevent the spread of COVID-19 within the workforce.
The overall opinion of the BfDI is that limiting data protection in the public interest is not a novel concept. Section 22 (1) of the new German Federal Data Protection Act permits processing of special categories of personal data under Art. 9 “for reasons of public interest in the field of public health, such as protection against serious cross-border health risks...” under certain conditions to protect the integrity of the data. Also, Sec. 22 (2) of the German Federal Data Protection Act obliges the parties involved to protect these data sets by specific security measures, depending on the particular circumstances, such as encryption, data separation, data access controls, and specific storage backups.” Germany’s "Infection Protection Act", which replaced the Federal Law on Diseases 2002, contains numerous data processing authorizations for local state and national health departments and agencies, even in cases of suspicion, and includes extensive reporting obligations by doctors, etc. to these agencies.
Thus, in the midst of the coronavirus pandemic, it is more important than ever to place privacy and data protection at the center of public discourse and promote the idea that one should not regard it as “public health OR privacy”, but rather as “public health AND privacy”.
For further information on how to best comply with data protection and security during the corona pandemic please contact your RSM experts.
Alexandra Khammud LL.M
GDPR Expert - Risk Advisory Services (RAS)