Proportionality — that’s the watchword companies need to adhere to in times of crisis. The challenge of the COVID-19 pandemic and concerted efforts to stop its spread have thrown data protection law into the global spotlight.

With companies and authorities alike doing everything they can to stem the transmission of the disease, measures like checking recent travel histories, taking body temperature and tracking patients’ movements have come to seem acceptable. But many are asking, how far should organizations go? Is it essential to share the name or other personal details of someone infected? What liability is there under data protection law?

Fortunately, there is plenty of legal guidance available, and Recital 46 of the EU General Data Protection Regulation specifically mentions epidemics: “The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest ... for instance when processing is necessary for ... for monitoring epidemics and their spread.”

Emergency measures

For companies in the EU, data processing must always be lawful under Article 6 and/or Article 9 of the GDPR, but some member states have already passed emergency laws waiving some of the obligations.

Italy, which COVID-19 has hit hardest, has passed emergency legislation that requires people in certain transmission risk categories to notify health authorities.

In New Zealand, Privacy Commissioner John Edwards said, “It will not be a breach of the Privacy Act for any accommodation provider or tourism operator to notify a medical officer or police officer of someone noncompliant with self-isolation obligations.”

Elsewhere, the U.S. Department of Health and Human Services introduced waivers for hospitals to disclose some patient information now that COVID-19 is a national emergency. While in Israel, the government has backed measures to track the mobile phones of people suspected or confirmed to have been infected.

Given all these special measures, it is not surprising that the Global Privacy Assembly said, “We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.”

But the principles of law still apply

Following a general press statement from Chair Andrea Jelinek March 23, the European Data Protection Board adopted a formal position March 19.

“I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data,” she said.

The EDPB added a state of emergency is “a legal condition which may legitimize restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period. When processing is necessary for reasons of substantial public interest in the area of public health, there is no need to rely on consent of individuals.”

In the employment context, “the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.”

There are two main areas of concern that the EDPB addresses: obligations on employers in terms of health data; and monitoring or tracking of individuals via telecoms data.

To start with the latter, the EDPB reminded that the ePrivacy Directive is the relevant piece of legislation, and “in principle, location data can only be used by the operator when made anonymous or with the consent of individuals.”

When it is not possible to only process anonymous data, Article 15 allows member states to introduce emergency legislation for national security or public security — so long as it constitutes “a necessary, appropriate and proportionate measure within a democratic society.”

The least-intrusive solutions should always be preferred, said the EDPB, but added that “invasive measures, such as the tracking of individuals could be considered proportional under exceptional circumstances.”

The use of telecoms data may not only be used to track at-risk individuals, as in Israel, but also to send public health messages. On March 16, many French people received a text message reminding them of the safety instructions to be applied to combat the spread of COVID-19, explained the French data protection authority, the CNIL.

“This type of information operation is provided for by law which requires telecommunications operators to disseminate to their subscribers' messages from the public authorities intended to warn the population of an imminent danger or a major disaster,” clarified the DPA.

In the U.K., the Information Commissioner's Office also clarified that data protection and electronic communication laws do not preclude the government, the National Health Service or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing.

The EDPB also answered certain pertinent questions, such as:

• Can an employer require visitors or employees to provide specific health information in the context of COVID-19?
• Is an employer allowed to perform medical checkups on employees?
• Can an employer disclose that an employee is infected with COVID-19 to their colleagues or externals?

The answers are: maybe, if in line with national law; only if health and safety law requires it; and do not communicate more information than necessary.

It goes without saying, particularly as the information associated with COVID-19 is sensitive health data, genetic data and biometric data that companies should adhere to strong principles, such as purpose limitation, data minimization, data accuracy, security and storage limitation.

Nonetheless, Judy Krieg and Amy Lambert from law firm Fieldfisher urge companies, “Don't give in to the panic factor.”

“Yes, businesses may need to collect and use personal information about their employees in order to enforce their coronavirus protocols and to best advise their employees on how to limit the employee's risk of exposure. However, it is important not to forget that, although this could be a time-sensitive issue, the requirements of data protection law will still apply to any personal information that a company uses for these purposes.”

The tension with big tech

The concern is that companies start collecting this data for legitimate purposes and then try to use it for their business models. This is particularly worrying when those big companies,  like Facebook and Google, team up with national authorities in a time of crisis.

Michelle De Mooy, director of the Privacy & Data Project at the Center for Democracy & Technology, pointed out on Twitter: “Google may have altruistic reasons for becoming a public health resource, but it is also undeniably interested in gathering health-related data to make money. This is demonstrated most clearly by users visiting their COVID-19 site to connect to or create a Google (account). An account connects an identity to data, and that is the key to data monetization. The question is, when it’s a choice between benefiting a person's health, and satisfying a company’s desire to pursue its business interests, which one wins?”

This is where transparency is key. The EDPB underlined this in its advice saying, “data subjects should receive transparent information in easily accessible and clear language.”

“Data minimization still reigns supreme — set a clear protocol to collect only what you need. Keep your information accurate. Delete what you don't need,” Krieg and Lambert added. And, of course, make sure strong security measures are in place to ensure personal data are not disclosed to unauthorized parties.

Differing DPA approaches

Across the EU and in Canada, the U.K. (for now still following EU law) and New Zealand, DPAs have issued guidance. The IAPP has gathered these COVID-19 guidelines and listed them in our the Resource Center.

There are differences between the approaches. Hogan Lovells described the different emphases between the DPAs’ views as “restrictive, neutral or permissible.”Adding that “the right approach must lie in finding a balanced middle ground which does not ignore the application of essential privacy principles.”

But overall, “regulators highlight that data protection law is by no means a barrier to public health but advise organizations against 'systematic and generalized' monitoring and collection of data related to health of their employees outside official requests and measures of public health authorities,” explained Gabriela Zanfir-Fortuna, senior counsel at the Future of Privacy Forum. 

The ICO described itself as “a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern,” and said it will “take into account the compelling public interest in the current health emergency.

“The safety and security of the public remains our primary concern. The ICO and our colleagues in the public sector have this at the forefront of our minds at this time. We are here to help our colleagues on the frontline. We can offer advice to make sure the law around data protection and direct marketing is clear," it said in a statement.

Different DPAs around Europe have zoomed in on different areas of focus depending on their situation. The Danish DPA, Datatilsynet, highlighted the importance of internal data protection guidelines for employees working at home and the sorts of security measures that should be taken on company and personal devices to ensure strong data protection. The Slovenian DPA explained the particular requirements for medical institutions and those working in the health sector. Iceland focused on recommendations for employers and schools. In Norway, too, Datatilsynet answered questions regarding the use of video services for communications and webcams for schools doing remote-teaching. 

Greece, meanwhile, stressed the right to the protection of personal data is not absolute and its application should be balanced against other fundamental rights.

In Spain, the second hardest-hit country in Europe after Italy, the AEPD published a FAQ document and warnings about phishing campaigns on COVID-19.

However, almost all DPAs tackled the thorny question of when an employer is entitled to request medical records from employees. In the Netherlands, the AP highlighted the measures the employer has to take to process sensitive data and explains which information the employer is allowed to request and collect.

Some countries, including Austria and Hungary, provided sample questionnaires that companies can use for the collection of private contact details of employees at risk from infection.

According to NAIH, the Hungarian data protection authority, organizations can collect and process information about when an individual reports exposure or likely COVID-19 exposure and when an individual visited certain high-risk areas or was in contact with a known case. However, the questionnaire should not contain a full medical history of an employee.

The NAIH also reminded employers that can only introduce mandatory diagnostics or screenings with the assistance or supervision of health care professionals. Any other general and mandatory diagnostics or screenings (e.g., forced temperature checks) are unlawful.

At this difficult time, it can be easy to lose sight of the necessary checks and balances required to defend data protection rights. But following the guidelines and taking sensible basic precautions should mean employers and employees alike are protected.

Photo byFree To Use Sounds on Unsplash