Mar 252020

European Data Protection Board Releases Statement on Personal Data and COVID-19

William RM Long, Vishnu Shankar and Denise Kara
, , ,

On 20 March 2020, the European Data Protection Board (“EDPB”) released a statement on the protection of personal data in connection with measures that public authorities and business organizations (including employers) are taking to address the Coronavirus (COVID-19) pandemic. This statement is an extension of the statement released by the EDPB chair on 16 March 2020, (which can be accessed here). In its latest statement, the EDPB emphasises that EU data protection law (in particular, the EU General Data Protection Regulation (“GDPR”)) does not stand in the way of measures adopted to fight against COVID-19 – if these measures are necessary, proportionate and consistent with safeguards required under EU Member State laws. The EDPB statement also provides useful guidance for organisations to consider when adopting measures to lawfully process personal data during this time.

Overall, while EDPB statement may provide some reassurance to organizations with respect to COVID-19 measures, organizations will be advised to consider guidance issued by specific EU Member State data protection authorities as well. In particular, specific EU Member State data protection authorities have begun issuing COVID-19 guidance that is, at least in certain respects divergent: while certain data protection authorities are adopting a more restrictive approach (for example, the French CNIL), others are more permissible (for example, the UK’s Information Commissioner’s Office).

Lawfulness of processing

The GDPR allows public health authorities and employers to process personal data in the context of the COVID-19 pandemic, without necessarily obtaining the consent of individuals, in accordance with national law. The EDPB statement identifies the following legal bases under the GDPR as being relevant in the present context: processing that is “necessary for reasons of substantial public interest in the area of public health (Article 9(2)(i) of the GDPR); processing that is “necessary for compliance with a legal obligation (Articles 6(1)(c) and 9(2)(b) of the GDPR); and processing that is necessary to protect the vital interests of the data subject (Articles 6(1)(d) and 9(2)(c) of the GDPR). In relation to the latter, Recital 46 of the GDPR explicitly refers to the monitoring of the spread of epidemics.

Data protection principles

The EDPB re-emphasises the importance of processing personal data in line with the GDPR’s data protection principles. The EDPB reiterates that personal data processed for a particular objective should only be processed for “specific and explicit purposes”. Individuals should be provided with clear and transparent information on the processing activities that are being carried out by organisations (e.g., employers), including information about the periods in which personal data will be retained and the purposes of the processing.

In addition, the EDPB urges organisations to implement adequate technical and organisational security measures and policies regarding the confidentiality of personal data to prevent the unlawful disclosure of personal data. The statement is clear that organisations need to ensure they appropriately document any measures implemented to manage the current pandemic and the decision-making process.

Employment matters

According to the EDPB’s statement, employers are allowed to collect the personal data of their employees and others, including health data, to prevent the spread of the disease, provided that they take steps to minimise the amount of information collected, it is done in a proportionate manner and it is conducted in accordance with national law.

The EDPB is clear that employers should inform staff that a colleague may have COVID-19 as a preventative measure, but may not name specific individuals, or provide more information than  required. In instances where it is necessary to reveal the colleague concerned and where permitted by national law, the EDPB emphasises the importance for the concerned employee to be informed in advance and for “their dignity and integrity” to be protected.

Processing of electronic communication data

As a means to monitor, contain or mitigate the spread of COVID-19, some governments in Member States may use mobile location data to send public health messages to individuals, among other things. In this regard, the EDPB suggest public authorities first attempt to anonymise location data (e.g., by aggregation) as this would allow public authorities to determine the amount of mobile devices in a particular location or, alternatively, obtain the consent of individuals to process such data. When it is not possible for an organization to process (for example) anonymous location data, the ePrivacy Directive enables Member States to introduce legislative measures to process identifiable electronic communication data for the purposes of safeguarding public security. These legislative measure must be necessary, appropriate and proportionate and provide for an individual’s right to a judicial remedy.

The EDPB is clear that the least intrusive measures should be adopted and where invasive measures such as the tracking of individuals is involved, such methods should be subject to greater security and safeguards in line with the GDPR’s data protection principles.

You can find a full version of the EDPB’s statement here and our update on Coronavirus Risks – U.S. and European Employment and Privacy Law Issues here.

William RM Long

London

wlong@sidley.com

Vishnu Shankar

vshankar@sidley.com

Denise Kara

London

dkara@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.

Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act

The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.