The EU General Data Protection Regulation (GDPR) has very strict conditions regarding the collection and handling of sensitive health data; these terms remain in effect even as Europe adopts extreme measures to combat the coronavirus (Covid-19) outbreak. As various organizations attempt to track the spread of the virus for the sake of public health, they face the added challenge of keeping within the bounds of regulations that are tight even in an emergency situation.
GDPR changes during a public health emergency
The GDPR does contain some emergency provisions that loosen up the rules somewhat during an emergency such as the coronavirus outbreak, and some of the hardest-hit nations are already making use of them.
GDPR Article 9 (2) (i) is the section that governs emergency powers. It lifts the prohibition on any processing of sensitive personal information in the case of ” … reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care.” In this case, the standard of protection of this data still mandates “suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.” The data protection authority of a member country is given power to adopt temporary rules that expand access while still preserving key GDPR protections.
Recital 46 also specifies ” … monitoring epidemics and their spread or in situations of humanitarian emergencies,” allowing the processing of personal data when it is necessary to protect a person’s life within that context. Recital 52 makes a similar allowance for “the prevention or control of communicable diseases and other serious threats to health.”
Italy, which has seen the worst of the coronavirus in Europe thus far, passed Civil Protection Ordinance No. 630 in the early days of the outbreak. This law is valid until the end of July and allows Civil Protection Department members expanded powers to process sensitive personal data. The department now has access to certain categories of sensitive data, such as genetic and health data, but must secure it from unauthorized access.
France’s Agences régionales de santé (ARS) published a similar notice granting access to health authorities as well as certain private sector partners. Everyone involved is expected to collect only the data that is necessary to perform their duties, and data subjects retain their rights to view and modify collected data. The notice establishes that data will only be held until the end of February 2021 at the latest.
Germany’s national law, the Federal Data Protection Act, addresses emergency scenarios directly under Article 9 and allows health agencies throughout the country to have expanded access to sensitive personal information. However, access to some specific information categories requires specific circumstances and also certain prescribed data security measures to be in place.
France’s Commission nationale de l’informatique et des libertés (CNIL) also issued some specific guidance as to what is still off the table even during an emergency at the level of the coronavirus. Employers are not allowed to systematically collect data on the symptoms that employees are experiencing, for example requiring them to provide medical histories or submit to daily temperature checks. However, it also specified some measures that are legal for employers to implement: creating plans for working from home, providing coronavirus recognition and mitigation training, and recording the identities and dates of any reports of suspected infection.
Will the Coronavirus change GDPR data collection for good?
Much of the social concern around the coronavirus is exactly how long emergency measures, such as quarantines and travel bans, can be expected to be in place. Businesses should expect these emergency data collection measures to run roughly parallel to these various national and local states of emergency. With nations such as China, Singapore and Taiwan showing an ability to contain and even reverse the exponential growth of coronavirus cases in recent days, expectations of a return to “business as usual” in terms of GDPR rules at some point later in 2020 are prudent.
The CNIL guidance in particular demonstrates that businesses have an expanded ability to process data in the name of health and safety until the coronavirus subsides, but it is not a limitless ability and there are still clear boundaries. A demonstrable “data minimization” approach that limits collected information to only that which is absolutely necessary for the purpose at hand will go a long way toward keeping an organization within compliance boundaries.
Organizations should also keep all health information as transparent as possible and keep in mind that the data subject retains certain rights to access, correct and delete it. Some privacy advocates have raised concerns about these temporary erosions of data protection law, speculating that the personal data collected now will not be deleted once the coronavirus emergency is over and could be used for profiling or insurance premium quotes. From the personal privacy end, it looks like it will be incumbent upon individuals to know what the law of their particular country specifies in terms of long-term data storage and to exercise their right under the GDPR to access it if they have any concerns.