Published on 26 Mar 2020 • European Union, United Kingdom
The European Data Protection Board (EDPB) has adopted a statement on the processing of personal data in the context of the COVID-19 outbreak.
On 19 March 2020, the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the context of the COVID-19 outbreak.
The EDPB recognises that the fight against communicable diseases should be supported in the best possible way. However, it says that controllers and processors must still ensure that they process personal data lawfully. Emergency is a legal condition which may legitimise restrictions of freedoms, provided the restrictions are proportionate and limited to the emergency period. The EDPB notes that there are a number of considerations, as follows:
In relation to lawfulness of processing, the General Data Protection Regulation ((EU) 2016/679) (GDPR) already allows public health authorities and employers to process personal data in an emergency without an individual's consent. The legal bases include:
where it falls under the public authority's legal mandate, provided by national legislation;
where it is necessary for reasons of substantial public interest in the area of public health, on the basis of EU or national law; and
to protect an individual's vital interests (Recital 46 of the GDPR specifically refers to the control of an epidemic).
In an employment context, the processing of personal data may also be necessary for compliance with a legal obligation to which the employer is subject such as, obligations relating to health and safety at the workplace, or to the public interest (such as the control of diseases and other threats to health). The statement contains some FAQs and the answers note the relevance of national laws.
The core principles of data processing must be adhered to; for example, personal data should still be processed for specified and explicit purposes and individuals should be provided with easily accessible transparent information on the data processing activities. Data security and confidentiality policies should ensure that data is not unlawfully disclosed. Also, the underlying decision-making and measures implemented to manage the COVID-19 emergency should be documented.
The use of mobile location data to monitor, contain or mitigate the spread of COVID-19 implies the possibility of geolocating individuals or sending them public health messages in a specific area. In principle, operators can only use location data when made anonymous or with individuals' consent. However, Article 15 of the E-Privacy Directive (2002/58/EC) enables member states to introduce legislation to safeguard public security, with adequate safeguards such as, a judicial remedy. To be proportionate, the least intrusive solutions should be used and be strictly limited to the duration of the emergency.
For our collection of resources on Practical Law's global coronavirus, COVID-19, pandemics and business interruption content, to assist counsel working across jurisdictions, see Global Coronavirus Toolkit.