EU Regulators Say Coronavirus Doesn't Nix Data Protections

By Allison Grande
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Consumer Protection newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!



Law360 (March 17, 2020, 10:19 PM EDT ) The European Union's data protection authorities have warned that while the law provides few barriers to processing the personal data necessary to help fight the global coronavirus pandemic, companies and public authorities need to either obtain consent or strip identifying details from location data before using this information.

As the pandemic intensifies, the European Data Protection Board — which is made up of the national data protection authorities from each member state — weighed in Monday on the privacy issues surrounding the increased volume of health and other personal data that employers, public health authorities and others are gathering in their efforts to contain the virus.

Although data protection rules, including the EU's landmark General Data Protection Regulation, "do not hinder measures taken in the fight against the coronavirus pandemic," those charged with processing this data "even in these exceptional times ... must ensure the protection of the personal data of the data subjects," according to Austrian Data Protection Authority Andrea Jelinek, who chairs the EDPB.

"Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data," Jelinek added in a statement Monday.

The regulators specifically zeroed in on the processing of electronic communication data, including mobile location data, to mitigate the spread of COVID-19.

Generally, the GDPR provides for the legal grounds that enable employers and public health authorities to process personal data in the context of epidemics without the need to obtain the consent of the individual to whom that data belongs. This includes when the processing of personal information such as health histories and current medical status is necessary for employers to collect in order to protect public interest in the area of public health, the regulators said.

However, "additional rules apply" to the processing of electronic communications data, the regulators said.

Specifically, national laws that each member state has put on its books to implement the EU's e-privacy directive restrict the use of location data to instances where it has been made anonymous or where the individuals' consent has been obtained, according to the board.

The regulators advised that employers and public health authorities first aim to process location data "in an anonymous way," such as by generating reports that reveal the concentration of mobile devices at a certain location rather than the presence of a particular device.

If such processing is not possible, the regulators did note that the e-privacy directive allows member states to introduce emergency legislation to address national security and public safety concerns, although the board stressed that if such measures are floated, member states are still required "to put in place adequate safeguards, such as granting individuals the right to judicial remedy."

The World Health Organization — which last week declared COVID-19 a global pandemic — has documented more than 184,000 cases of infection worldwide, with over 7,500 deaths since it emerged in Wuhan, China, late last year.

Several data protection regulators from individual EU member states, including Italy, France and Ireland, have in recent weeks offered somewhat contradictory guidance on where the lines should be drawn when it comes to collecting, sharing and using health data in connection with the virus, leading some experts to call for the EDPB to come out with more harmonized advice.

The data protection regulator in Italy, which has been hit particularly hard by the virus, issued some of the earliest guidance on the topic. In a March 2 advisory, the Garante recommended companies refrain from undertaking "autonomous initiatives" — including making specific requests to individual workers — to collect information about workers' current health status, their contacts or life outside of work.

The French authority, CNIL, similarly advised against collecting data that would "go beyond the management of suspected exposure to the virus," and explicitly came out against the practices of recording employees' or visitors' temperatures and distributing medical questionnaires.

On the other end of the spectrum, Ireland's Data Protection Commissioner has said that while data processing activities need to be necessary and proportionate, employers may be justified in asking employees and visitors about their travel histories and whether they're experiencing symptoms in order to meet their legal obligation to maintain a safe workplace.

--Editing by Breda Lund.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!