On March 19, 2020, the European Data Protection Board (“EDPB”) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that emergency is a legal condition which may legitimize restrictions of individual freedoms, provided that these restrictions are proportionate and limited to the emergency period. Several considerations come into play in weighing the lawful processing of personal data in these circumstances.
- Legal Basis: The EU General Data Protection Regulation (“GDPR”) already provides for legal grounds that allow employers and public health authorities to process personal data in the context of epidemics or pandemics without the need to obtain the consent of individuals. The relevant legal grounds include personal data processing in the public interest, or to protect an individual’s vital interests, or to comply with another legal obligation.
- Employment Context: In the employment context, certain personal data processing may be necessary for an employer to comply with legal obligations, including those related to workplace health and safety or the public interest. However, national legal restrictions may apply. If an employer is considering requiring visitors and employees to provide health information for COVID-19 purposes, for instance, they may only do so if applicable national law allows for that. Similarly, an employer can perform medical check-ups on employees if the applicable national employment law or relevant health and safety law permits it. Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate superfluous information. If revealing the name of employee(s) who contracted the virus is necessary for prevention purposes, and the applicable national law permits doing so, the employee(s) at issue should receive advance notice and their dignity and integrity should be protected. Employers should also comply with national legislation if they want to obtain personal information in connection with COVID-19 to fulfil their duties.
- Core Principles: The EDPB underlined that even in these exceptional times, personal data must be processed for specified and explicit purposes. In addition, individuals must receive transparent information regarding the processing activities, including the applicable retention period for the collected data and the purposes of the processing. Adequate security and confidentiality measures must be implemented to ensure that the personal data is not disclosed to unauthorized parties. Importantly, the EDPB requires documenting measures implemented to manage the COVID-19 emergency situation.
- Mobile Location Data: To lawfully process mobile location data, public authorities should first aim to anonymize the data in accordance with the relevant ePrivacy Directive rules. According to the EDPB, this step can facilitate public authorities reporting on mobile device concentration at a certain location based on aggregated data. When it is not possible to only process anonymous mobile location data, governments should seek to pass emergency legislation to process non-anonymized location data. If exceptional legislation related to processing such non-anonymized data is introduced, Member States should provide adequate safeguards (such as a right to judicial remedy). From a proportionality perspective, the least intrusive solution is preferred; to the extent governments enact measures to track individuals based on historical location data that is not anonymized, these practices should be subject to enhanced scrutiny and safeguards in terms of duration and scope.
- Emergency Legislation: The EDPB encourages Member States to make use of Article 15 of the ePrivacy Directive, which allows Member States to adopt emergency legislative measures for the processing of electronic communication data for reasons of national security and public security, which the EDPB has said includes measures adopted to safeguard public health. Such exceptional legislation must constitute a necessary, appropriate and proportionate measure within a democratic society, and be limited to the emergency’s duration.
This formal statement follows EDPB Chair Andrea Jelinek’s initial statement, published on March 16, 2020, on the EDPB’s website. The initial statement conveyed the message that the GDPR does not hinder measures taken in the fight against the coronavirus pandemic. It also informed the public that several Member States have adopted, or are in the process of adopting, emergency legislation to fight the COVID-19 outbreak.