In a statement released Monday, the chair of the European Data Protection Board (EDPB) addressed things companies need to consider as they process different types of personal data in the context of the coronavirus.
Data protection rules, such as the EU’s General Data Protection Regulation (GDPR), “do not hinder measures taken in the fight against the coronavirus pandemic,” said EDPB Chair Andrea Jelinek. “However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
The GDPR provides for the rules to apply to the processing of personal data in a context like the one relating to COVID-19. “Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject,” Jelinek said. This applies, for example, when the processing of personal data is necessary for employers for reasons of public interest in the area of public health or to protect vital interests (Articles 6 and 9 of the GDPR) or to comply with another legal obligation, she says.
In addition to the EDPB’s guidance, individual data regulators throughout the European Union—such as the U.K.’s Information Commissioner’s Office and Ireland’s Data Protection Commission—have also provided their own FAQs on the topic.
Mobile location data
For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that location data can only be used by the operator when they are made anonymous, or with the consent of the individuals.
Public authorities should first aim to process location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data), which could enable the generation of reports on the concentration of mobile devices at a certain location, Jelinek said. When it’s not possible to only process anonymous data, Article 15 of the ePrivacy Directive enables member states to introduce legislative measures pursuing national security and public security. In this context, it shall be noted that safeguarding public health may fall under the national and/or public security exception, the EDPB noted.
“This emergency legislation is possible under the condition that it constitutes a necessary, appropriate, and proportionate measure within a democratic society,” Jelinek said. “If such measures are introduced, a member state is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.”