The European Data Protection Board (EDPB) has adopted a statement about governments, public and private organisations across Europe taking measures to contain and mitigate COVID-19.
In the statement issued March 16, EDPB emphasised: “Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.”
“It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”
In relation to the lawfulness of processing, the EDPB explained that GDPR allows the processing of personal data, by competent public health authorities and employers, in the context of an epidemic, as long as it is in accordance with national law and “within the conditions set therein.”
In the employment context, EDPB added that the processing of personal data may be necessary “for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.”
The committee added: “with regard to the processing of telecom data, such as location data, national laws implementing the ePrivacy Directive must also be respected. In principle, location data can only be used by the operator when made anonymous or with the consent of individuals.”
However, Article 15 of the ePrivacy Directive allows Member States to introduce legislative measures to safeguard public security, as long as it constitutes a necessary, appropriate and proportionate measure within a democractic society, and in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.
The use of mobile location data to track the spread of COVID-19 has reached headlines worldwide, with Israel and South Korean allowing authorities to trace those thought to have contracted the coronavirus.
Last week, reports emerged that emergency measures may be introduced by the UK government to trace mobile phone data of those suspected to have the virus in order to track the spread.
Subsequently, in the statement the EDPB explained that in regards to using mobile location data to monitor, contain or mitigate the spread of COVID-19: “Public authorities should first seek to process location data in an anonymous way (ie. processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”).”
“If measures allowing for the processing of non-anonymised location data are introduced, a Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy. 3 The proportionality principle also applies. The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/