The COVID-19 crisis has brought the difficult balance between individual’s privacy rights and health and safety restrictions at the forefront of the debate. This crisis constitutes a serious first test for the GDPR and Supervisory Authorities in the EU since some of the measures undertaken to contain the spread of COVID-19 by governmental authorities, and to a certain extent organizations, have raised serious concerns on the compliance of such measures with data protection requirements.
Individuals have indeed been exposed to new processing activities such as the collection of health data or geolocation data, the use of new technological solutions (e.g. contact tracing tools), and changes in their working environment (i.e. work from home). Therefore, this unprecedented health crisis should lead us to assess whether these exceptional circumstances have actually hindered individuals’ rights.
One of the responses to this question came from the European Data Protection Board (EDPB), which in its statement dated March 19, 2020, provided a clear response by recalling that “even in these exceptional times”, the GDPR still applies and “data controller and processor must ensure the protection of the personal data” of individuals. Supervisory Authorities have also issued their own guidance on the processing of personal data during the pandemic and on the implementation of new tools, notably for teleworking or contact tracing applications.
While it is difficult to confirm whether the EDPB’s declaration was followed up in a practical
and effective manner, we can define a trend by exploring some of the individuals’ rights that have been exposed to some COVID-19 related restrictions.
The implementation of specific public health measures may require the collection of health data, such as temperature checks, serological tests, health questionnaires, leading Supervisory Authorities to issue recommendations in order to ensure that individuals’ rights are protected.
COVID-19: have individuals' privacy rights been impacted?
One of the most fundamental principles stemming from the GDPR, even more in the context of COVID-19 pandemic, is the implementation of adequate security measures, as recalled by the EDPB in its statement of March 19, 2020.
Yet, the pandemic has not dissuaded cyber-attacks including against organizations, which were on the front lines in the fight against COVID-19. For instance, on March 22, 2020, the AP-HP (Assistance Publique-Hôpitaux de Paris), the Paris hospital network, have suffered a denial of service (DDoS)). Even the World Health Organization (WHO) reported that hackers have tried to use its name to try to extort personal information from individuals, by notably sending fraudulent email and WhatsApp messages. In April 2020, the Italian social security website suffered a computer breakdown due to a cyberattack.
Moreover, the increasing use of dematerialized IT and communication solutions by organizations, such as videoconferencing, have increased the risk of cyber-attacks, notably phishing attacks.
Such cyber risks and attacks have led authorities to react. Regarding the implementation of teleworking, Supervisory Authorities have issued specific guidance for employers in order to ensure the security of data. The French Supervisory Authority (CNIL), recommended that, in order to secure the information system, employers should notably draw up a security charter for teleworking and communicate it to employees, implement adequate security measures (firewall, antivirus software) on employees' workstations, and put in place authentication measures.
More specifically concerning the implementation of videoconference tools, the UK Supervisory Authority (ICO) has stated that the privacy and security settings of video conferencing tools should be checked and that all software should be kept up-to-date. The Irish Supervisory Authority (DPC) has published statement on tips regarding video-conferencing for individuals and organizations calling organizations to minimize data protection risks.
Based on the above, although cyber-attacks have spread during this pandemic, there has not been any indication that such attacks under such exceptional circumstances should be regarded as inevitable and tolerated by Supervisory Authorities. To the contrary, Supervisory Authorities have stressed the need to increase awareness on cyber risk and improve security measures during this health crisis period.
The implementation of specific public health measures may require the collection of health data, such as temperature checks, serological tests, health questionnaires, leading Supervisory Authorities to issue recommendations in order to ensure that individuals’ rights are protected. Regarding temperature checks, the CNIL has issued a publication in which it recalls that an individual’s body temperature constitutes a special category of data, which justifies specific protection, and that employers are prohibited from setting up automatic temperature recording tools and from creating files containing temperature data on their employees.
On a specific webpage dedicated to the testing in the context of the pandemic, the ICO underlined that the principle of transparency is very important and that “an employer should be clear, open and honest with employees from the start about how and why” the processing is carried out. The Italian Supervisory Authority stated that even if the body temperature checks on employees can be performed, they should not be recorded.
Again, Supervisory Authorities have warned all organizations that the fight against COVID-19 spread would not justify disproportionate collection of personal data, in particular special categories of data.
Several governments in the EU have implemented a state of emergency in order to limit individuals’ rights such as limiting movements, public gathering or even exercising their privacy rights. Considering the risk that some EU Member States could abuse the situation, the EDPB had to react.
In that respect, on June 2, 2020, the EDPB adopted a statement on restrictions on data subject rights in connection with the state of emergency in Member States. This statement followed the adoption by the Hungarian Government of a Decree in which it was provided that, inter alia, “all measures following data subject’s request exercising the rights based on the GDPR are suspended until the end of the state of danger”. In its statement, the EDPB recalled the principles related to the restrictions of individuals’ rights, allowed by Article 23 of the GDPR.
In particular, it stressed that the mere existence of a pandemic or other emergency situation was not a sufficient reason to provide for a restriction of individuals’ rights. Furthermore, the EDPB underlined that the state of emergency, adopted in the context of a pandemic, is a legal condition that may legitimize restrictions on the rights of data subjects, provided that such restrictions apply only if they are strictly necessary and proportionate to safeguard the public health objective. Finally, the EDPB stated that “if restrictions contribute to safeguarding public health in a state of emergency, the EDPB considers that the restrictions must still be strictly limited in scope (e.g. as to the data subject rights concerned or the categories of controllers concerned) and in time”.
This statement from the EDPB reveals a certain degree of ambiguity since it acknowledges the possibility to implement restrictions on individuals’ rights to the extent that such restrictions are limited in scope and in time. We can regret that the EDPB did not provide further guidance on such conditions.
In order to ensure the compliance with all data protection principles, Supervisory Authorities have also issued guidance for developers of contact tracing applications.
The EDPB in its guidelines 04/2020 on the use of location data and contact tracing tools, has recalled the importance of data minimization, data protection by design and by default principles. Developers should ensure that a minimum amount of data is processed for the purposes of processing.
In addition, in these guidelines, the EDPB published an annex in which it delivered practical recommendations for developers of contact tracing applications regarding notably functional considerations, technical properties, or security. It should be underlined that among these recommendations, it is advisable to implement “state-of-the-art cryptographic techniques”.
Regarding individuals, the publication of the EDPB underlines that the contact tracing applications should rely on pseudonymised personal data and the use of the apps should be voluntary.
Following the interoperability guidelines for approved contact tracing mobile applications in the European Union, published by the European Commission on May 13, 2020, the EDPB completed its guidelines 04/2020, with a statement published on June 16, 2020, on the data protection impact of the interoperability of contact tracing apps. In this statement, the EDPB recalls that users should be able to control their data and users should be able to clearly understand what the use of the application entails.
This is another example of public health measures that could have had serious impact on individuals’ rights but Supervisory Authorities, once again, paid very close attention to this issue by reminding organizations of their obligations and setting limits and conditions to such processing activities. It seems that the EDPB needed to insist in its last statement that individuals must always keep control of their data.
In conclusion, the first lesson learned from this exceptional crisis is that the lack of cooperation between Supervisory Authorities on data protection issues arising from the COVID-19 pandemic could have created even more uncertainty for individuals and organizations. However, the situation has progressively improved and we noted more coherence between Supervisory Authorities and the EDPB on their various guidelines and statements.
Finally, the key message from the EDPB and Supervisory Authorities was that individuals’ rights must at all-time be respected, even in the context of an exceptional health crisis. It may be a little too soon to assess whether in practice, individuals’ rights have not been hindered in some EU Member States. We may have a definitive answer in the near future, should any complaint be filed before Supervisory Authorities.