Covid-19 prompts data enforcement slowdown
Data regulators are backing off from enforcement and relaxing stances on tough issues like data sharing in order to let data holders focus resources towards the covid-19 crisis.
Data protection and privacy regulators have sprung into action over the last few weeks to advise companies through the coronavirus pandemic – and several major regulators are now stepping back from enforcement.
Watchdogs such as the UK Information Commissioner's Office and France’s CNIL have said that their regulatory response will change. Despite the different approaches being taken by each authority, regulators are overall adopting flexible approaches and considering the practical challenges faced by the companies they regulate.
The ICO last week said it will “delay any specific guidance that could impose a burden that diverts staff from frontline duties, except where it is needed to address a high risk to the public”. The regulator will also take into account the impact of the crisis when handling public complaints about organisations. “This may mean we resolve the complaint without contacting an organisation, for example if it is focusing its resources on the coronavirus frontline.”
Some authorities are extending the time given to controllers to respond to regulatory information requests. The ICO said that it will give controllers longer than usual to respond or rectify any breaches “if [a controller] is recovering its service and gradually improving timescales”.
CNIL has also delayed several deadlines. Organisations now have until 24 June to comply with some formal notices from the authority and response times to complaints will be extended.
However, the French authority said that it continues to process the majority of other requests under the usual timelines. It said it will attempt to avoid any unnecessary delay in the implementation of processing.
The UK’s ICO had gone further than France and said its decision to launch investigations will be focused on cases of “serious non-compliance”. When conducting investigations, it will take into account the particular impact of the crisis on that organisation, it said. “This may mean less use of formal powers that require organisations to provide us with evidence.”
The UK regulator will also take a more lenient approach to regulatory action, including a reduced level of fines. “We will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis,” it said.
Ireland’s Data Protection Commission has stated that deadlines for requests, such as access requests from individuals, are written into the GDPR and can’t be changed. But unavoidable delays may arise as a result of the health crisis.
The regulator has not explicitly stated that extensions will be granted, but said it is “very alive to the unprecedented challenges facing organisations and the need for a proportionate regulatory approach”. It said that “frontline and critical services such as healthcare and social services may need to divert resources to priority work areas with consequential impacts on other areas”.
“Where an organisation, due to the impact of covid-19, cannot respond to a request in full or in part within the statutory timelines, they remain under an obligation to do so and should ensure that the request is actioned as soon as possible,” the Irish regulator said.
Canada’s federal Office of the Privacy Commissioner has adopted a similar response to the Irish regulator. "In the context of investigations, we have advised certain organisations that while we cannot extend statutory deadlines under the law, we will be flexible in our enforcement of it. Clearly, however, the situation remains fluid which would call for the potential to revisit the situation as needed," it said.
The Canadian watchdog advised that organisations give notice to requesters and clients if they are at reduced capacity and expect it will have an impact on privacy issues such as access requests and measures that limit the rights of data subjects.
The Schleswig-Holstein watchdog in Germany is also slowing down its activities in light of the crisis. Marit Hansen, head of the regulator, told GDR that extensions to respond are being given on a case-by-case basis, except in circumstances of a breach – which must be mitigated immediately.
But investigations are still ongoing. “We would only conduct on-premise investigations in serious cases – they are rare in Schleswig-Holstein. But we have also much work to do with ongoing, less serious, cases from the time before the pandemic,” Hansen said.
The Dutch regulator has also given organisations more time to respond to questions and has highlighted that healthcare organisations will be given more leniency with regards to data sharing. The authority said it has already allowed a healthcare provider to reach out, via an intermediary, to former healthcare personnel to help in cases of critical personnel shortage.
However, despite making some concessions, the Dutch caution that privacy is still a priority. “The coronavirus crisis should not become an excuse for throwing privacy completely overboard,” chair of the Dutch authority Aleid Wolfsen said. “The crisis should not become a prelude to a Big Brother society.”
A spokesperson for Belgium’s Data Protection Authority told GDR that it also allows deadline extensions for controllers “if appropriate and justified by the specific demand”.
Other regulators have loosened privacy restrictions to help ease communication during the crisis. The state commissioner for data protection of Lower Saxony, Barbara Thiel, said she will allow schools to use WhatsApp in individual cases for a limited period of time. Public authorities are not usually allowed to use the app due to data collection concerns. But Thiel has suggested that although the use of WhatsApp will be permitted, people should “seriously consider alternatives”.
Not all regulators are taking similar measures. The German federal watchdog told GDR that it is not planning any measures to slow down activities due to the pandemic.