Coronavirus affects data regulators around the globe
The coronavirus outbreak is set to test the limits of institutions and organisations the world over – including data watchdogs.
As the coronavirus crisis rapidly escalated over the last few days, data protection authorities have sprung into action. The EDPB published guidance for organisations yesterday on data processing rules – particularly those relating to health data – while authorities try to mitigate the Covid-19 outbreak.
The statement came after several national authorities published data protection advice. The EU’s own data watchdog, the European Data Protection Supervisor, has been working remotely as of last Friday.
Observers – some working from home themselves – have said the lack of EU-wide guidance has led to member states’ regulators offering diverging guidance, creating confusion for organisations across the bloc. Many also said the virus and its impact on society will stress-test the regulators, particularly as many authorities have limited resources.
The EDPB said that amidst a pandemic, the GDPR provided the legal grounds for employers and public health authorities to process personal data without the need to obtain consent of the data subject, such as when personal data processing is in the public interest, in the interest of public health or to protect vital interests.
Regarding the processing of electronic communication data, such as mobile location data, additional rules apply, the regulator said. The ePrivacy Directive – which ensures location data can only be used when anonymised or with consent – can allow member states to introduce legislation pursuant to national security and public safety that allows them to process data that has not been made anonymous.
But this emergency legislation must constitute a “necessary, appropriate and proportionate measure within a democratic society”, the EDPB said.
EDPB chair Andrea Jelinek said: “Data protection rules do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
Data protection authorities in multiple countries – including France, Denmark, Spain, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Poland, Spain and the UK – have all published personal data processing guidance in the wake of the outbreak, in an attempt to balance data privacy with public health needs.
In France, data regulator CNIL said on 6 March that employers cannot indiscriminately collect health data from their employees but can make a record of those taken ill. The Danish data authority issued similar guidance on 5 March and published data protection best practices for those “working from home” – employees are advised to use VPNs, avoid storing files locally and to connect remotely to the company’s own servers. Iceland echoed the Danish advice on health data collection and said the “minimum information” collected could include whether employees have just visited a high-risk area.
Ireland’s data watchdog said on 6 March that public health authorities may require the processing of health data but safeguards should be in place in order to protect employees and any measures should be “necessary and proportionate”.
The Italian regulator said on 2 March that employers should avoid any “systematic and generalised” collection of health data and should instead rely on employees self-reporting any symptoms. Luxembourg’s regulator issued similar guidance on 10 March, recommending employers set up “dedicated channels” for employers to report symptoms, ensuring their health data is secure.
In the Netherlands, health data protection measures mean employers may not record the nature of a person’s illness but can enquire as to how long they will be absent. Norway’s data authority said on 10 March that whether or not someone is infected with Covid-19 is considered health data, and therefore comes with added protections but that information on whether someone has visited a high-risk area or has been in quarantine is not, and therefore allowed to be recorded.
Poland’s data watchdog said at the end of February that sending mass texts to those in Poland regarding the spread of Covid-19 does not violate the GDPR, and cited crisis management legislation in support of the measure.
Spain’s AEPD said that despite the outbreak, there has been no suspension of “fundamental rights” and therefore data protection rules under the GDPR should be followed. But it said that data protection considerations should not be used to hinder or limit the effectiveness of the measures adopted by the authorities, especially health authorities, as personal data protection regulations already contain a caveat for such cases that reconciles and weighs the interests and rights of individuals against the common good.
The UK’s ICO told employers on 12 March that it is reasonable to ask people whether they have visited a particular country, or are experiencing Covid-19 symptoms but should minimise the information that needs to be collected.
The regulator said that if employers need to collect specific health data, they should not collect more than is necessary and to ensure that any information collected is treated with the appropriate safeguards. If organisations are ordered to share information with authorities about specific individuals, then data protection law won’t stop them from doing so.
In the US, the federal Department of Health and Human Services (HSS), which enforces health data legislation HIPAA, issued guidance in February to prevent “inappropriate” access to patient records in light of the outbreak.
HSS reminded health care providers that the HIPAA Privacy Rule, which protects patient confidentiality, should not be “set aside”. But under this rule, health professionals may share information on a patient with each other in order to treat them or another patient. It also permits hospitals and other insured entities to share patient information – without consent – with public health authorities, such as the Center for Disease Control, to help curb the outbreak.
In the event of a “serious or imminent” threat to the public, health professionals may share patient information with “anyone as necessary”, HSS said, but most disclosures of information should be the “minimum necessary”.
Ahmed Baladi, a partner at Gibson Dunn & Crutcher in Paris, told GDR it is “unfortunate and rather disappointing” that organisations had to wait for each national DPA to issue guidelines. He said that many organisations were struggling to adopt procedures designed to protect their staff and visitors without receiving clear guidelines, if any.
“I think that is a reflection of the way the EU is handling the crisis. It has become a national matter whereas one needed more “EU”, more harmonisation.”
Baladi said that under an “exceptional scenario” such as this, national regulators may find it hard to implement the principles and requirements of the GDPR, but said national DPAs could not be blamed.
“In the absence of an EU approach they had to react,” he said.
“My view is that governments or EU institutions should have provided more guidance at a very early stage, adopting a pragmatic approach.”
“It is not surprising to note that they do not want private sector operators to collect health data,” but could have allowed the limited collection of health data through a health professional, kept the data for a limited period of time and adopted robust security measures, he said.
Alja de Zwart, a partner at Morrison Foerster in Brussels, said that this is an “extraordinary situation that could cost countless lives” and that data protection rules should not stand in the way of public health.
She said that while privacy and data protection have and always will be important, data protection legislation must be “flexible” in order to facilitate the monitoring and control of the ongoing pandemic in a proportionate way.
But the “substantially different” approaches of various data protection authorities have made it very difficult and confusing for multinational organisations to “figure out” what steps they must take to protect their workforce and others, De Zwart said.
“This is the time for the EDPB and the national data protection authorities to show that they can adapt in a time of crisis, and that the GDPR and its laws are flexible enough to facilitate the monitoring and control of such pandemics and not hinder it.”
Haflidi Kristjan Larusson, a partner at BBA//Fjeldco in Reykjavik said the Covid-19 outbreak is likely to have an impact on the Icelandic authority’s work over the coming months – both in relation to the increased number of cases and enquiries it must deal with and the effect on its own internal operations and workforce.
Larusson said the virus will certainly “stress-test” the regulator, “in light of the fact that the Icelandic DPA is already understaffed and underfunded” and that it is likely the situation will embolden the DPA’s calls for more funding and resources.
“But as the Icelandic government must now prioritise the use of funds and resources, it is unlikely that the government will give the regulator and data protection matters a priority over many other more pressing issues,” he said.
Jesús Yáñez, a partner at ECIJA in Madrid, told GDR that Spain’s state of emergency – effective from 14 March – means all administrative deadlines are suspended, allowing some breathing space for any ongoing investigations the Spanish AEPD must carry out, and also to companies that must provide documentation to the regulator.
As Spanish citizens liaise with their authorities using digital channels, Yáñez said this novel situation should not have a “great impact” on the AEPD’s operations, but the main issue is that not all administrative workplaces are ready for remote working, “which is a very different thing”.
“I’m sure the internal effectiveness inside the AEPD will be impacted. The implementation of the GDPR back in May 2018 already showed that more resources were needed, and of course these needs are going to become even more obvious over the coming days and weeks, Yáñez said.
Thomas Olsen, a partner at Simonsen Vogt Wiig in Oslo, said the processing of health data on a large scale due to measures initiated by public authorities, employers and other stakeholders raises data protection concerns.
The subsequent demand for advice and clarification “may have a great impact on the DPA’s resources available to follow up on other enforcement actions”, Olsen said. But considering the extraordinary challenges many industries are facing, “I don't believe that this is the right time for the DPAs to call for more funding and resources,” he added.
Michael Madsen, a partner at Bird & Bird in Copenhagen, said the Danish data authority will be affected by the outbreak, as all employees have been sent home and asked to work remotely, which will have an impact on response time and initiatives.
“For the reasons stated above, this virus will surely stress-test DPAs,” Madsen said.
“I believe all DPAs are in agreement that data protection rules should not prevent data controllers from doing what is necessary to handle the pandemic. I think this is a situation where the legal interpretation must be pushed by the practical needs,” he said.
Eduardo Ustaran, a partner at Hogan Lovells in London, said that during a pandemic, “it is crucial to know how to make the most of data in a responsible and privacy-conscious way”.
“It is therefore understandable that data protection authorities from across the world are stepping in to provide their input and guidance, although we have seen fairly different positions ranging from very restrictive to rather permissive,” Ustaran said.
He said the differences among the regulators’ guidance suggests that the right approach must lie in finding a balanced middle ground which helps “harmonise” the various positions.
“Eventually I think that the data protection authorities will seek to provide practical guidance on this issue to help governments and organisations get it right without requiring intense regulatory involvement,” he said.
Paula Barrett, a partner at Eversheds Sutherland in London, said that – like all other organisations at this time – data authorities will find themselves tested.
“Interpreting the GDPR in a consistent manner, handling the tidal wave of enquiries on what employers and others can do and ongoing day to day workloads at a time of funding constraints may mean they are not well placed to deal with tests of remote working and a reduced workforce that the pandemic is bringing with it,” Barrett said.
She said the lack of a coordinated response and seemingly different interpretation of what is fundamentally the same legislation has many outside of Europe “perplexed”.
“If you have worked in data protection in the EU for some time, it isn’t perhaps so surprising. The differences in interpretation are as much cultural in derivation as they are longstanding,” Barrett said.
For some EU countries, there is a view that there is a very limited need for an employer to collect health data; rather that is a matter for the individual and a medical professional, she said. “But in the UK, we are more accustomed to such data being collected by our employer and others, and have extended the legal exemptions that apply to facilitate that.”
The differing guidance from the data regulators will mean clients wanting to roll out a global approach to various types of screening, for example, are therefore going to find this is not the straightforward, harmonised approach they thought GDPR was going to deliver, Barrett said.
Tanguy Van Overstraeten, a partner at Linklaters in Brussels, said that generally, the regulators have stressed that the GDPR should not hamper the efforts undertaken by EU countries to fight the coronavirus pandemic. The EDPB, for example, underlined several legal grounds that enable employers and public authorities to process personal data without the consent of the individuals in that context.
But Van Overstraeten said regulators have made it clear that the pandemic did not give employers and public authorities a “blank cheque” to engage in personal data processing activities. “To the contrary, the regulators expect the key principles of the GDPR to be very much part of the elements to be taken into consideration when processing personal data.”
Van Overstraeten told GDR that the principles of the GDPR remain an important element to ensure that even in times of crisis and fear, the rule of law continues to guide behaviour in a democratic state. “Indeed, inconsiderate disclosures of personal data could contribute to spread fear and may have catastrophic consequences for the individuals affected.”
“It is also important to underline that the right to data protection has to be balanced against other fundamental rights such as the rights to life and health care,” Van Overstraeten said.
Regarding mobile location data, which is particularly important given that the processing of such data is often cited as a means to help fight the epidemic, the EDPB has made it clear that additional requirements apply and that mobile location data processing should be anonymous and/or aggregated, Van Overstraeten told GDR.
But Van Overstraeten said two “grey areas” still remain to be explored. Firstly, the extent to which the “vital interests of the data subject or another natural person” can justify processing activities in the context of a pandemic, particularly as the GDPR allows the processing of health data only if the individual in question is “physically or legally incapable of giving consent”.
Secondly, there are questions on what the impact emergency legislation such as the one referred to by the EDPB will have – while the EDPB noted that such legislation must “put in place adequate safeguards, such as granting individuals the right to judicial remedy”, given the emergency, such legislation may not extensively address the data protection related aspects, Van Overstraeten said.