Managing the COVID-19 outbreak and stopping its spread is now a global challenge. In addition to the significant health and medical responses underway around the world, governments and public health officials are focused on how to monitor, understand and prevent the spread of the virus. Data protection and privacy laws, including the EU General Data Protection Regulation and various U.S. laws, are informing these responses.

One major response to limiting the spread of infection is contact tracing, which is the practice of identifying and monitoring anyone who may have come into contact with an infected person. Employers and educational institutions are also imposing travel restrictions, instituting self-quarantine policies, limiting visitors, and considering whether to require medical examinations. These responses necessarily involve obtaining and potentially sharing personal information, including data about an individual’s health, travel, personal contacts, and employment. For example, in the U.S., the Centers for Disease Control and Prevention has asked airlines for the name, date of birth, address, phone number and email address for passengers on certain flights. 

As IAPP Editorial Director Jedidiah Bracy, CIPP, explored in his piece on using AI and big data to manage the outbreak — has issued guidance recognizing the need to limit the collection of data and its use during this public health crisis.  

EU law

EU countries collecting personal data as part of their COVID-19 response will be required to comply with the GDPR (as well as their own laws). For example, Italy’s data protection authority, the Garante, adopted a decree addressing the intersection between the GDPR and COVID-19, the need for processing special categories of personal data, and how some data protection rights could be suspended to combat the virus. The Garante has issued further guidance prohibiting “do-it yourself” data collection. DPAs in France and Ireland have likewise taken positions on the handling of personal data in the context of responding to COVID-19.  

The GDPR also addresses public health crises specifically and includes provisions relating to the processing of personal data.

Article 6 — Processing without consent

The GDPR’s Article 6 provides that the processing of personal data without consent is lawful where it is necessary for compliance with a legal obligation to which the controller is subject, to protect the vital interests of the data subject or of another natural person, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Recital 46 specifically recognizes certain provisions in Article 6 may be relevant for purposes of public health crises, noting “[s]ome types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.” 

Pursuant to Recital 46, processing personal data “should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.” Recital 46 suggests the “vital interest” exception should be construed narrowly, stating processing personal data based upon the vital interest of another natural person “should in principle take place only where the processing cannot be manifestly based on another legal basis.”

Article 6 does impose some limitations on these exceptions, requiring the basis for processing personal data under the public interest exception or to comply with a controller’s legal obligation be an EU or member state law and that this law “meet an objective of public interest and be proportionate to the legitimate aim pursued.” Member States also may adopt more specific provisions with regard to processing for compliance with a legal obligation or for performing a task in the public interest, including to ensure such processing is lawful and fair.

Recital 45 describes different ways member states might approach these issues and notes that processing under this public interest exemption could be carried out by public authorities or private parties. In addition, the principles in Article 5 relating to the processing of personal data, including transparency, would still apply, except where restricted by member state law for reasons of national security, public security, to protect the rights and freedoms of others, or for other similar exemptions outlined in Article 23, all of which require a “necessary and proportionate” test.

Article 9 — Processing special categories of data

The GDPR's Article 9, which prohibits processing of special categories of personal data (including biometric and health data) without explicit consent, also has similar exceptions, including where processing is necessary:

  • “to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;"
  • “for reasons of substantial public interest;”
  • “for the purposes of preventive or occupational medicine. . . medical diagnosis. . . [or] the provision of health or social care or treatment;" and
  • “for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health."

Recitals 52, 53, and 54 further inform these provisions. Recital 52 acknowledges the need for processing special categories of personal data for “the prevention or control of communicable diseases and other serious threats to health” and Recital 53 emphasizes such data should be processed for health related purposes “only where necessary to achieve those purposes for the benefit of natural persons and society as a whole,” with EU or member state law providing “specific and suitable measures” to protect the data. Recital 54 recognizes processing special categories of personal data without consent may be necessary for public health reasons but makes clear such processing should not result in the data being processed for other purposes by third parties, such as employers or insurance companies.   

Article 17 — Right to erasure

It is worth noting the provisions in Article 17 regarding the right to erasure of personal data do not apply to the extent processing is necessary “for reasons of public interest in the area of public health.” 

The provisions referenced above make clear the authors of the GDPR anticipated the situation now unfolding, as authorities grapple with how best to safeguard the health, well-being and personal data of individuals across the EU and around the globe. 

U.S. law

Although there is no omnibus data protection law at the federal level in the U.S., several federal and state laws offer privacy protection to certain types of data. Given the sectoral approach to privacy under the U.S. legal system, it is worth exploring the protections that exist under U.S. law for certain types of data relevant to this discussion, namely protected health information, employment data, and location data.

Health data

The Health Insurance Portability and Accountability Act Privacy Rule protects the privacy of a patient’s health information. Its protections, however, are not absolute. In February, the U.S Department of Health and Human Services released a Bulletin outlining when disclosure of health information is allowed, including for public health purposes and “to prevent a serious and imminent threat.” The Bulletin notes most disclosures of information must be limited to the “minimum necessary” to accomplish the purpose. This guidance clearly aligns with the GDPR’s exemption for processing special categories of data when necessary to protect against serious cross-border threats to health.

Employment data

The Americans with Disabilities Act may also be relevant for employers trying to determine if they can take employees’ temperatures or ask employees about their travel and personal health status. While the U.S. Equal Employment Opportunity Commission has some information on its website regarding the coronavirus and refers to CDC guidelines, the specific guidance it provides is from 2009 and relates to pandemic planning for influenza. Whether these recommendations will change if the virus becomes more prevalent in the U.S. remains to be seen.       

Location data

The Fourth Amendment to the U.S. Constitution also protects certain expectations of privacy, including a person’s physical location and movement. In Carpenter vs. U.S., the Supreme Court considered how to apply the Fourth Amendment to historical cell phone records, specifically cell-site location information, “that provide a comprehensive chronicle of the user’s past movements.” The government had obtained these records as part of a criminal investigation and argued Carpenter should have no expectation of privacy in this information because he voluntarily provided it to third parties (the “third party doctrine” previously recognized by the Supreme Court in United States v. Miller and Smith v. Maryland).

The Supreme Court in Carpenter disagreed, recognizing:

[quote]Mapping a cell phone’s location [for an extended period] provides an all-encompassing record of the holder’s whereabouts. As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his “familial, political, professional, religious, and sexual associations.”[/quote]

It concluded the government invaded Carpenter’s reasonable expectation of privacy “in the whole of his physical movements” when it accessed cell-site location information from wireless carriers.

As the number of COVID-19 cases in the United States grow, and correspondingly the need for contact tracing, further discussion in the U.S. regarding the privacy interests discussed in Carpenter and the need to quickly address a public health issue seems likely. As the Supreme Court noted in Carpenter, cell phone tracking is “near perfect surveillance” that “is remarkably easy, cheap and efficient compared to traditional investigative tools.” 

In contrast, obtaining passenger data from airlines is proving difficult for the CDC, impairing its contact tracing efforts.

Broader considerations

The above touches only on some of the relevant EU and U.S. legal guidelines. There are many other national and sub-national laws around the world that could affect how personal data is tracked and shared within and across borders as part of the COVID-19 response. This is not the first global health crisis in which these privacy considerations arise, but it is the most significant since the GDPR took effect and issues of data protection increasingly have become a focus for governments and individuals. 

Understanding what these laws require in such situations and how they are applied will be critical both during the management of COVID-19 and as authorities take stock in the months and years ahead.

Photo by CDC on Unsplash