On 20 March 2020, the European Data Protection Board (“EDPB”) released a statement on the protection of personal data in connection with measures that public authorities and business organizations (including employers) are taking to address the Coronavirus (COVID-19) pandemic. This statement is an extension of the statement released by the EDPB chair on 16 March 2020, (which can be accessed here). In its latest statement, the EDPB emphasises that EU data protection law (in particular, the EU General Data Protection Regulation (“GDPR”)) does not stand in the way of measures adopted to fight against COVID-19 – if these measures are necessary, proportionate and consistent with safeguards required under EU Member State laws. The EDPB statement also provides useful guidance for organisations to consider when adopting measures to lawfully process personal data during this time.
Overall, while EDPB statement may provide some reassurance to organizations with respect to COVID-19 measures, organizations will be advised to consider guidance issued by specific EU Member State data protection authorities as well. In particular, specific EU Member State data protection authorities have begun issuing COVID-19 guidance that is, at least in certain respects divergent: while certain data protection authorities are adopting a more restrictive approach (for example, the French CNIL), others are more permissible (for example, the UK’s Information Commissioner’s Office).
Lawfulness of processing
The GDPR allows public health authorities and employers to process personal data in the context of the COVID-19 pandemic, without necessarily obtaining the consent of individuals, in accordance with national law. The EDPB statement identifies the following legal bases under the GDPR as being relevant in the present context: processing that is “necessary for reasons of substantial public interest in the area of public health (Article 9(2)(i) of the GDPR); processing that is “necessary for compliance with a legal obligation (Articles 6(1)(c) and 9(2)(b) of the GDPR); and processing that is necessary to protect the vital interests of the data subject (Articles 6(1)(d) and 9(2)(c) of the GDPR). In relation to the latter, Recital 46 of the GDPR explicitly refers to the monitoring of the spread of epidemics.
Data protection principles
The EDPB re-emphasises the importance of processing personal data in line with the GDPR’s data protection principles. The EDPB reiterates that personal data processed for a particular objective should only be processed for “specific and explicit purposes”. Individuals should be provided with clear and transparent information on the processing activities that are being carried out by organisations (e.g., employers), including information about the periods in which personal data will be retained and the purposes of the processing.
In addition, the EDPB urges organisations to implement adequate technical and organisational security measures and policies regarding the confidentiality of personal data to prevent the unlawful disclosure of personal data. The statement is clear that organisations need to ensure they appropriately document any measures implemented to manage the current pandemic and the decision-making process.
According to the EDPB’s statement, employers are allowed to collect the personal data of their employees and others, including health data, to prevent the spread of the disease, provided that they take steps to minimise the amount of information collected, it is done in a proportionate manner and it is conducted in accordance with national law.
The EDPB is clear that employers should inform staff that a colleague may have COVID-19 as a preventative measure, but may not name specific individuals, or provide more information than required. In instances where it is necessary to reveal the colleague concerned and where permitted by national law, the EDPB emphasises the importance for the concerned employee to be informed in advance and for “their dignity and integrity” to be protected.
Processing of electronic communication data
As a means to monitor, contain or mitigate the spread of COVID-19, some governments in Member States may use mobile location data to send public health messages to individuals, among other things. In this regard, the EDPB suggest public authorities first attempt to anonymise location data (e.g., by aggregation) as this would allow public authorities to determine the amount of mobile devices in a particular location or, alternatively, obtain the consent of individuals to process such data. When it is not possible for an organization to process (for example) anonymous location data, the ePrivacy Directive enables Member States to introduce legislative measures to process identifiable electronic communication data for the purposes of safeguarding public security. These legislative measure must be necessary, appropriate and proportionate and provide for an individual’s right to a judicial remedy.
The EDPB is clear that the least intrusive measures should be adopted and where invasive measures such as the tracking of individuals is involved, such methods should be subject to greater security and safeguards in line with the GDPR’s data protection principles.