The successful management of COVID-19 relies on the quick analysis and collection of health data, which can raise privacy issues particularly in the European Union. In order to help data controllers manage their COVID-19 response plans under the General Data Protection Regulation (GDPR) and other EU privacy laws, the European Data Protection Board (EDPB) released a statement discussing how governments and companies can process personal data in response to COVID-19.As the EDPB explains, Article 6 of the GDPR allows controllers to process personal data without consent of the data subject if the processing is necessary to protect the vital interests of the data subject or of another natural person, or if processing is necessary for the performance of a task carried out in the public interest. These exceptions would allow, for example, the government to process the travel history of an infected person in order to track the source of infection.
The EDPB Guidance also makes clear that Article 9 of the GDPR would allow processing of special categories of personal data such as health information without a data subject’s consent if “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health[.]” This would allow employers to ask employees if they have the virus and document this, thereby preventing the spread of the virus to other employees.
The EDPB Guidance also addresses the use of electronic communication data to combat COVID-19. For example, in South Korea, the government has been using cell phone location data to track the location of those who are infected ensure they remain quarantined. The government has made the location data of those infected with COVID-19 public so that others may avoid contact with them. In Europe, location data can be tracked for purposes of combatting COVID-19, but the tracking is subject to the following privacy constraints.
First, the ePrivacy Directive allows for location data to be used by an operator when the location data has been made anonymous. The EDPB recommends that public authorities take this approach first when considering using location data. Second, the ePrivacy Directive allows for member states to introduce legislative measures for the purpose of national security or public security. The member state may then collect the location data, but is obliged to put in adequate safeguards such as granting individuals the right to judicial remedy.
The EDPB statement makes clear that European privacy law should not pose a barrier to the processing of health and other personal information to combat the threat of COVID-19.